Home / Companies / GitHub / Blog / Post Details
Content Deep Dive

Git Submodule Vulnerability Announced

Blog post from GitHub

Post Details
Company
Date Published
Author
Jeff King
Word Count
590
Company Posts That Month
30
Language
English
Hacker News Points
-
Post removed?
No
Summary

A vulnerability identified as CVE-2018-17456 in Git allowed arbitrary code execution during the cloning of malicious repositories, prompting the release of Git v2.19.1 and various backports as a remedy. Users are advised to update their Git clients to avoid exposure, particularly when handling untrusted submodules, with specific instructions provided for GitHub Desktop and Atom users to secure their applications. Although GitHub.com and GitHub Enterprise are not directly impacted, they have implemented measures to detect and reject malicious repositories, with updated GitHub Enterprise versions releasing on October 9. The vulnerability, akin to a previous one, involved an option-injection attack related to submodules, and was responsibly disclosed to allow time for remediation before becoming public. The Git community, in collaboration with GitHub developers, audited and implemented stricter validation checks on .gitmodules values, enhancing detection capabilities for potentially harmful submodules. Additionally, JGit and libgit2 were found unaffected due to their different handling of submodules, and a comprehensive scan of GitHub repositories revealed no active exploitation of this vulnerability.

Trends Found in this Post

No tracked trend matches for this post yet.

Use This Data

Use this post, company, and trend context to find content marketing opportunities, perform competitive analysis, or address product feature gaps via the Plushcap MCP server or the Plushcap API.