gix and gitoxide: unvalidated submodule name traverses out of .git/modules and redirects state() / open() to another repository

Summary attachments: pocs.zip Submodule names coming from .gitmodules are exposed as unvalidated names and are later reused to derive the submodule git directory as: /modules/ Because the submodule name is joined directly as a filesystem path component, a name such as ../../../escaped-target.git...

PT-2026-38894

Summary attachments: pocs.zip Submodule names coming from .gitmodules are exposed as unvalidated names and are later reused to derive the submodule git directory as: /modules/ Because the submodule name is joined directly as a filesystem path component, a name such as ../../../escaped-target.git...

PT-2026-38895

Summary Submodule name validation bypass plus missing validation in production code paths allows path traversal via crafted .gitmodules. Combined with a trust inheritance flaw in Submodule::open, this enables reading arbitrary git repository configs including credentials from traversed paths with...

MiracleLinux 7 : git-1.8.3.1-20.el7 (AXSA:2019-3447:01)

The remote MiracleLinux 7 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2019-3447:01 advisory. git: arbitrary code execution via .gitmodules CVE-2018-17456 Tenable has extracted the preceding description block directly from the MiracleLinux security...

SUSE CVE-2023-22490

Git is a revision control system. Using a specially-crafted repository, Git prior to versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7, 2.33.7, 2.32.6, 2.31.7, and 2.30.8 can be tricked into using its local clone optimization even when using a non-local transport. Though Git will abort loca...

DEBIAN-CVE-2023-22490

Git is a revision control system. Using a specially-crafted repository, Git prior to versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7, 2.33.7, 2.32.6, 2.31.7, and 2.30.8 can be tricked into using its local clone optimization even when using a non-local transport. Though Git will abort loca...

DEBIAN-CVE-2019-19604

Arbitrary command execution is possible in Git before 2.20.2, 2.21.x before 2.21.1, 2.22.x before 2.22.2, 2.23.x before 2.23.1, and 2.24.x before 2.24.1 because a "git submodule update" operation can run commands found in the .gitmodules file of a malicious repository...

FreeBSD : Salt -- multiple vulnerabilities (3934cc60-f0fa-4eca-be09-c8bd7ae42871)

Salt release notes : CVE-2015-6918 - Git modules leaking HTTPS auth credentials to debug log Updated the Git state and execution modules to no longer display HTTPS basic authentication credentials in loglevel debug output on the Salt master. These credentials are now replaced with REDACTED in the...