English | Deutsch | Español
 
Home ▼
Home About Us Contact Us Privacy Partner Programs Testimonials In Press Mailing Lists Abuse Developer APIs
Bookkeeping
Online ▼
Home Free Trial FAQ
Open/Create Company File Accept an Invite Order/Renew
Security
Audits ▼
Home Dedicated audits Advanced audits Standard audits Recurring audits No Risk audits Desktop audits Basic audit Security Seal FAQ Price/Feature Summary Order New Tests All Tests Confidentiality Vulnerability search Run Audit Scheduler IP Permissions Audit Configuration Editor Scan Queue Reminder Notification Schedule Seal Reports Reports Style Editor
Managed
DNS ▼
About Order FAQ Acceptable Use Policy Dynamic DNS Clients
Configure Domains Dyanmic DNS Update Password
Network
Monitor ▼
Enterprise Package Advanced Package Standard Package Free Trial FAQ Price/Feature Summary Order/Renew Examples
Configure/Status Alert Profiles
Research
Reports ▼
Home FAQ Glossary Archive
 Login/Register 
 
 Vulnerability   
Search   		     Search 219043 CVE descriptions
and 99761 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

Test ID:1.3.6.1.4.1.25623.1.1.2.2019.1420
Category:Huawei EulerOS Local Security Checks
Title:Huawei EulerOS: Security Advisory for git (EulerOS-SA-2019-1420)
Summary:The remote host is missing an update for the Huawei EulerOS 'git' package(s) announced via the EulerOS-SA-2019-1420 advisory.
Description:Summary:
The remote host is missing an update for the Huawei EulerOS 'git' package(s) announced via the EulerOS-SA-2019-1420 advisory.

Vulnerability Insight:
In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, remote code execution can occur. With a crafted .gitmodules file, a malicious project can execute an arbitrary script on a machine that runs 'git clone --recurse-submodules' because submodule 'names' are obtained from this file, and then appended to $GIT_DIR/modules, leading to directory traversal with '../' in a name. Finally, post-checkout hooks from a submodule are executed, bypassing the intended design in which hooks are not obtained from a remote server.(CVE-2018-11235)

A shell command injection flaw related to the handling of 'ssh' URLs has been discovered in Git. An attacker could use this flaw to execute shell commands with the privileges of the user running the Git client, for example, when performing a 'clone' action on a malicious repository or a legitimate repository containing a malicious commit.(CVE-2017-1000117)

Git before 2.10.5, 2.11.x before 2.11.4, 2.12.x before 2.12.5, 2.13.x before 2.13.6, and 2.14.x before 2.14.2 uses unsafe Perl scripts to support subcommands such as cvsserver, which allows attackers to execute arbitrary OS commands via shell metacharacters in a module name. The vulnerable code is reachable via git-shell even without CVS support.(CVE-2017-14867)

It was found that the git-prompt.sh script shipped with git failed to correctly handle branch names containing special characters. A specially crafted git repository could use this flaw to execute arbitrary commands if a user working with the repository configured their shell to include repository information in the prompt.(CVE-2014-9938)

An integer truncation flaw and an integer overflow flaw, both leading to a heap-based buffer overflow, were found in the way Git processed certain path information. A remote attacker could create a specially crafted Git repository that would cause a Git client or server to crash or, possibly, execute arbitrary code.(CVE-2016-2324)

A flaw was found in the way the git-remote-ext helper processed certain URLs. If a user had Git configured to automatically clone submodules from untrusted repositories, an attacker could inject commands into the URL of a submodule, allowing them to execute arbitrary code on the user's system.(CVE-2015-7545)

Git before 2.14.5, 2.15.x before 2.15.3, 2.16.x before 2.16.5, 2.17.x before 2.17.2, 2.18.x before 2.18.1, and 2.19.x before 2.19.1 allows remote code execution during processing of a recursive 'git clone' of a superproject if a .gitmodules file has a URL field beginning with a '-' character.(CVE-2018-17456)

An integer truncation flaw and an integer overflow flaw, both leading to a heap-based buffer overflow, were found in the way Git processed certain path information. A remote attacker could create a specially crafted Git repository that would cause a Git client or server to crash or, possibly, execute arbitrary code.(CVE-2016-2315)

Affected Software/OS:
'git' package(s) on Huawei EulerOS Virtualization 3.0.1.0.

Solution:
Please install the updated package(s).

CVSS Score:
10.0

CVSS Vector:
AV:N/AC:L/Au:N/C:C/I:C/A:C

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2014-9938
https://github.com/njhartwell/pw3nage
RedHat Security Advisories: RHSA-2017:2004
https://access.redhat.com/errata/RHSA-2017:2004
Common Vulnerability Exposure (CVE) ID: CVE-2015-7545
BugTraq ID: 78711
http://www.securityfocus.com/bid/78711
Debian Security Information: DSA-3435 (Google Search)
http://www.debian.org/security/2016/dsa-3435
https://security.gentoo.org/glsa/201605-01
https://lkml.org/lkml/2015/10/5/683
http://www.openwall.com/lists/oss-security/2015/12/08/5
http://www.openwall.com/lists/oss-security/2015/12/09/8
http://www.openwall.com/lists/oss-security/2015/12/11/7
RedHat Security Advisories: RHSA-2015:2515
http://rhn.redhat.com/errata/RHSA-2015-2515.html
http://www.securitytracker.com/id/1034501
http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.533255
SuSE Security Announcement: openSUSE-SU-2015:1968 (Google Search)
http://lists.opensuse.org/opensuse-updates/2015-11/msg00066.html
http://www.ubuntu.com/usn/USN-2835-1
Common Vulnerability Exposure (CVE) ID: CVE-2016-2315
BugTraq ID: 84355
http://www.securityfocus.com/bid/84355
Debian Security Information: DSA-3521 (Google Search)
http://www.debian.org/security/2016/dsa-3521
http://lists.fedoraproject.org/pipermail/package-announce/2016-March/179121.html
http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183147.html
http://lists.fedoraproject.org/pipermail/package-announce/2016-March/180763.html
http://pastebin.com/UX2P2jjg
http://www.openwall.com/lists/oss-security/2016/03/15/5
RedHat Security Advisories: RHSA-2016:0496
http://rhn.redhat.com/errata/RHSA-2016-0496.html
http://www.securitytracker.com/id/1035290
SuSE Security Announcement: SUSE-SU-2016:0796 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00059.html
SuSE Security Announcement: SUSE-SU-2016:0798 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00060.html
SuSE Security Announcement: openSUSE-SU-2016:0802 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00061.html
SuSE Security Announcement: openSUSE-SU-2016:0803 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00062.html
SuSE Security Announcement: openSUSE-SU-2016:0826 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00071.html
SuSE Security Announcement: openSUSE-SU-2016:0829 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00074.html
SuSE Security Announcement: openSUSE-SU-2016:0831 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00076.html
SuSE Security Announcement: openSUSE-SU-2016:0832 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00077.html
SuSE Security Announcement: openSUSE-SU-2016:0958 (Google Search)
http://lists.opensuse.org/opensuse-updates/2016-04/msg00011.html
http://www.ubuntu.com/usn/USN-2938-1
Common Vulnerability Exposure (CVE) ID: CVE-2016-2324
CopyrightCopyright (C) 2020 Greenbone Networks GmbH

This is only one of 99761 vulnerability tests in our test suite. Find out more about running a complete security audit.

To run a free test of this vulnerability against your system, register below.



© 1998-2024 E-Soft Inc. All rights reserved.