CVE-2015-8968

Published: Nov 3, 2016Modified: May 6, 2026

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

git-fastclone before 1.0.1 permits arbitrary shell command execution from .gitmodules. If an attacker can instruct a user to run a recursive clone from a repository they control, they can get a client to run an arbitrary shell command. Alternately, if an attacker can MITM an unencrypted git clone, they could exploit this. The ext command will be run if the repository is recursively cloned or if submodules are updated. This attack works when cloning both local and remote repositories.

Affected (1)

Products: Squareup: Git Fastclone

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Squareup Git Fastclone	Before 1.0.1

Related CWEs

Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

References (6)

http://www.securityfocus.com/bid/81433

Source: support@hackerone.com

Third Party AdvisoryVDB Entry

https://github.com/square/git-fastclone/pull/2

Source: support@hackerone.com

PatchVendor Advisory

https://hackerone.com/reports/104465

Source: support@hackerone.com

ExploitThird Party Advisory

http://www.securityfocus.com/bid/81433

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

https://github.com/square/git-fastclone/pull/2

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

https://hackerone.com/reports/104465

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.