suse · CVE-2018-11235

Quick triage

Priority: high Published: 2021-05-30 14:13:24 UTC Updated: 2026-04-17 15:25:45 UTC

View at Official suse advisory, NVD, CVE.org · CVE detail

Freshness: upstream tracker timestamp is available; use API updated time as primary recency signal.

Tracker summary

CVE-2018-11235 severity important: SUSE including 205 source package names (emacs-git-1.8.3.1-14.el7_5, emacs-git-el-1.8.3.1-14.el7_5, …), 318 product×package rows across 60 product lines (HPE Helion OpenStack 8, SUSE Enterprise Storage 4, … (60 product lines)): Fixed 312, Known Not Affected 6.

Description:

In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, remote code execution can occur. With a crafted .gitmodules file, a malicious project can execute an arbitrary script on a machine that runs "git clone --recurse-submodules" because submodule "names" are obtained from this file, and then appended to $GIT_DIR/modules, leading to directory traversal with "../" in a name. Finally, post-checkout hooks from a submodule are executed, bypassing the intended design in which hooks are not obtained from a remote server.

cvelogic Threat Intelligence