{
  "threat_severity" : "Important",
  "public_date" : "2018-10-05T00:00:00Z",
  "bugzilla" : {
    "description" : "git: arbitrary code execution via .gitmodules",
    "id" : "1636619",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1636619"
  },
  "cvss3" : {
    "cvss3_base_score" : "8.8",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-77",
  "details" : [ "Git before 2.14.5, 2.15.x before 2.15.3, 2.16.x before 2.16.5, 2.17.x before 2.17.2, 2.18.x before 2.18.1, and 2.19.x before 2.19.1 allows remote code execution during processing of a recursive \"git clone\" of a superproject if a .gitmodules file has a URL field beginning with a '-' character.", "An option injection flaw has been discovered in git when it recursively clones a repository with sub-modules. A remote attacker may configure a malicious repository and trick a user into recursively cloning it, thus executing arbitrary commands on the victim's machine." ],
  "statement" : "OpenShift Container Platform (OCP) source-to-image uses the git client packaged with the OCP container images. Since RHEL7 and its associated images are impacted, source-to-image is also impacted. The atomic-openshift package running on the masters controls the code that determines the source-to-image build image in use, therefore a cluster update is required to patch this issue. Full instructions will be provided in Security Errata provided for this issue.\nIn OCP 3.6 and earlier, source-to-image executes in a privileged container on the node. Therefore the severity of this CVE is important for these versions. OCP 3.7 and later execute source-to-image git pulls in an unprivileged init container.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "release_date" : "2020-02-03T00:00:00Z",
    "advisory" : "RHSA-2020:0316",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6",
    "package" : "git-0:1.7.1-10.el6_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2018-10-30T00:00:00Z",
    "advisory" : "RHSA-2018:3408",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7",
    "package" : "git-0:1.8.3.1-20.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6",
    "release_date" : "2018-11-13T00:00:00Z",
    "advisory" : "RHSA-2018:3541",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el6",
    "package" : "rh-git29-git-0:2.9.3-7.el6"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS",
    "release_date" : "2018-11-13T00:00:00Z",
    "advisory" : "RHSA-2018:3541",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el6",
    "package" : "rh-git29-git-0:2.9.3-7.el6"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7",
    "release_date" : "2018-11-13T00:00:00Z",
    "advisory" : "RHSA-2018:3541",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-git29-git-0:2.9.3-8.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS",
    "release_date" : "2018-11-13T00:00:00Z",
    "advisory" : "RHSA-2018:3541",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-git29-git-0:2.9.3-8.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS",
    "release_date" : "2018-11-13T00:00:00Z",
    "advisory" : "RHSA-2018:3541",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-git29-git-0:2.9.3-6.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS",
    "release_date" : "2018-11-13T00:00:00Z",
    "advisory" : "RHSA-2018:3541",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-git29-git-0:2.9.3-6.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS",
    "release_date" : "2018-11-13T00:00:00Z",
    "advisory" : "RHSA-2018:3541",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-git29-git-0:2.9.3-8.el7"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "git",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Fuse 7",
    "fix_state" : "Affected",
    "package_name" : "camel",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7"
  }, {
    "product_name" : "Red Hat JBoss Fuse 6",
    "fix_state" : "Affected",
    "package_name" : "camel",
    "cpe" : "cpe:/a:redhat:jboss_fuse:6"
  }, {
    "product_name" : "Red Hat JBoss Fuse Integration Service 2",
    "fix_state" : "Affected",
    "package_name" : "camel",
    "cpe" : "cpe:/a:redhat:fuse_integration_services:2"
  }, {
    "product_name" : "Red Hat Mobile Application Platform 4",
    "fix_state" : "Not affected",
    "package_name" : "fh-scm",
    "cpe" : "cpe:/a:redhat:mobile_application_platform:4"
  }, {
    "product_name" : "Red Hat Software Collections",
    "fix_state" : "Not affected",
    "package_name" : "rh-git218-git",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2018-17456\nhttps://nvd.nist.gov/vuln/detail/CVE-2018-17456" ],
  "name" : "CVE-2018-17456",
  "csaw" : false
}