#VU16148 Command injection in Git - CVE-2018-19486

Cybersecurity Help s.r.o.

Published: 2018-11-28 | Updated: 2018-11-28

Vulnerability identifier: #VU16148

Vulnerability risk: Low

CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2018-19486

CWE-ID: CWE-77

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Git
Client/Desktop applications / Software for system administration

Vendor: Git

Description

The vulnerability allows a remote authenticated attacker to execute arbitrary commands on the target system.

The vulnerability exists due to a flaw in the run_command() API and 'run-command.c' when handling malicious input. A remote attacker can issue specially crafted commands from the current working directory and execute arbitrary commands on the target system.

Mitigation
Update to version 2.19.2.

Vulnerable software versions

Git: 2.19.0 - 2.19.1

External links
https://git.kernel.org/pub/scm/git/git.git/tree/Documentation/RelNotes/2.19.2.txt

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Gentoo update for Git

OpenSUSE Linux update for git

Amazon Linux AMI update for git

Command injection in git (Alpine package)

Command execution in Git

Fedora 28 update for git

Fedora 29 update for git