Wednesday, May 30, 2018

Arbitrary Code Execution Vulnerability in Git

A new security vulnerability was disclosed and any Git versions previous to 2.13.7, 2.14.4, 2.15.2, 2.16.4 and 2.17.1 are affected.

This security vulnerability can lead to arbitrary code execution when a user operates in a malicious repository.

With a crafted .gitmodules file, the malicious project can execute an arbitrary script on a machine that runs "git clone --recurse-submodules" because submodule "names" are obtained from this file, and then appended to $GIT_DIR/modules, leading to directory traversal with "../" in a name. Finally, post-checkout hooks from a submodule are executed, bypassing the intended design in which hooks are not obtained from a remote server. 

Our team is working on updating the affected solutions available through Bitnami. This will ensure that all new installations and launches will be secured against these issues. If you have a running application with Git, you will need to migrate the content of your deployment to a secured one.

In case you have installed Git using the system packages, please update the component when the new package is available for your operating system.

If you have any questions about the security issue or how to migrate your data, please post to our community support forum and we will be happy to help!