Vulnerability Details : CVE-2015-7545
The (1) git-remote-ext and (2) unspecified other remote helper programs in Git before 2.3.10, 2.4.x before 2.4.10, 2.5.x before 2.5.4, and 2.6.x before 2.6.1 do not properly restrict the allowed protocols, which might allow remote attackers to execute arbitrary code via a URL in a (a) .gitmodules file or (b) unknown other sources in a submodule.
Vulnerability category: Input validationExecute codeBypassGain privilege
Threat overview for CVE-2015-7545
Top countries where our scanners detected CVE-2015-7545
Top open port discovered on systems with this issue
8200
IPs affected by CVE-2015-7545 33
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2015-7545!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2015-7545
Probability of exploitation activity in the next 30 days: 7.82%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 93 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2015-7545
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST |
|
9.8
|
CRITICAL | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2015-7545
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
-
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.Assigned by: nvd@nist.gov (Primary)
References for CVE-2015-7545
-
https://github.com/git/git/blob/master/Documentation/RelNotes/2.5.4.txt
git/2.5.4.txt at master · git/git · GitHubPatch;Vendor Advisory
-
http://www.ubuntu.com/usn/USN-2835-1
USN-2835-1: Git vulnerability | Ubuntu security notices
-
https://kernel.googlesource.com/pub/scm/git/git/+/33cfccbbf35a56e190b79bdec5c85457c952a021
33cfccbbf35a56e190b79bdec5c85457c952a021 - pub/scm/git/git - Git at Google
-
https://github.com/git/git/blob/master/Documentation/RelNotes/2.4.10.txt
git/2.4.10.txt at master · git/git · GitHubPatch;Vendor Advisory
-
http://www.openwall.com/lists/oss-security/2015/12/08/5
oss-security - CVE for git issue - please use CVE-2015-7545
-
https://security.gentoo.org/glsa/201605-01
Git: Multiple vulnerabilities (GLSA 201605-01) — Gentoo security
-
http://www.securitytracker.com/id/1034501
GIT git-remote-ext Helper URL Processing Lets Remote Users Execute Arbitrary Commands on the Target System - SecurityTracker
-
https://github.com/git/git/blob/master/Documentation/RelNotes/2.3.10.txt
git/2.3.10.txt at master · git/git · GitHubPatch;Vendor Advisory
-
http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
Oracle Solaris Bulletin - April 2016
-
http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html
Oracle Linux Bulletin - October 2015
-
http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html
Oracle Linux Bulletin - January 2016
-
https://lkml.org/lkml/2015/10/5/683
LKML: Junio C Hamano: [ANNOUNCE] Git v2.6.1, v2.5.4, v2.4.10 and v2.3.10
-
https://bugzilla.redhat.com/show_bug.cgi?id=1269794
1269794 – (CVE-2015-7545) CVE-2015-7545 git: arbitrary code execution via crafted URLs
-
http://www.openwall.com/lists/oss-security/2015/12/09/8
oss-security - Re: CVE for git issue - please use CVE-2015-7545
-
http://rhn.redhat.com/errata/RHSA-2015-2515.html
RHSA-2015:2515 - Security Advisory - Red Hat Customer Portal
-
http://www.openwall.com/lists/oss-security/2015/12/11/7
oss-security - Re: CVE for git issue - please use CVE-2015-7545
-
http://www.securityfocus.com/bid/78711
Git CVE-2015-7545 Remote Command Execution Vulnerability
-
http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.533255
The Slackware Linux Project: Slackware Security Advisories
-
http://www.debian.org/security/2016/dsa-3435
Debian -- Security Information -- DSA-3435-1 git
-
https://github.com/git/git/blob/master/Documentation/RelNotes/2.6.1.txt
git/2.6.1.txt at master · git/git · GitHub
-
http://lists.opensuse.org/opensuse-updates/2015-11/msg00066.html
openSUSE-SU-2015:1968-1: moderate: Security update for git
Products affected by CVE-2015-7545
- cpe:2.3:a:redhat:software_collections:1.0:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:15.04:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
- cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*
- cpe:2.3:a:git_project:git:*:*:*:*:*:*:*:*
- cpe:2.3:a:git_project:git:2.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:git_project:git:2.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:git_project:git:2.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:git_project:git:2.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:git_project:git:2.4.9:*:*:*:*:*:*:*
- cpe:2.3:a:git_project:git:2.4.8:*:*:*:*:*:*:*
- cpe:2.3:a:git_project:git:2.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:git_project:git:2.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:git_project:git:2.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:git_project:git:2.4.4:*:*:*:*:*:*:*
- cpe:2.3:a:git_project:git:2.4.3:*:*:*:*:*:*:*
- cpe:2.3:a:git_project:git:2.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:git_project:git:2.4.7:*:*:*:*:*:*:*
- cpe:2.3:a:git_project:git:2.4.6:*:*:*:*:*:*:*
- cpe:2.3:a:git_project:git:2.4.5:*:*:*:*:*:*:*