CVE-2018-17456

Git before 2.14.5, 2.15.x before 2.15.3, 2.16.x before 2.16.5, 2.17.x before 2.17.2, 2.18.x before 2.18.1, and 2.19.x before 2.19.1 allows remote code execution during processing of a recursive "git clone" of a superproject if a .gitmodules file has a URL field beginning with a '-' character.

Published: Oct 6, 2018
Updated: Nov 9, 2025
CVE: CVE-2018-17456
Severity: High
Exploit:

CVSS v2:

Severity: High
Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

CWEs:

CWE-88

OWASP TOP 10:

A1 - Injection

Affected Software
References

Software	From	Fixed in
git-scm / git	2.19.0	2.19.1
git-scm / git	2.18.0	2.18.1
git-scm / git	2.17.0	2.17.2
git-scm / git	2.16.0	2.16.5
git-scm / git	2.15.0	2.15.3
git-scm / git	2.14.0	2.14.5
redhat / enterprise_linux_desktop	7.0	7.0.x
redhat / enterprise_linux	7.4	7.4.x
redhat / enterprise_linux_workstation	7.0	7.0.x
redhat / enterprise_linux	7.0	7.0.x
redhat / enterprise_linux	6.0	6.0.x
redhat / enterprise_linux_server	7.0	7.0.x
redhat / enterprise_linux	6.7	6.7.x
redhat / enterprise_linux	7.3	7.3.x
redhat / enterprise_linux	7.5	7.5.x
redhat / enterprise_linux_server_tus	7.6	7.6.x
redhat / enterprise_linux_server_eus	7.6	7.6.x
redhat / enterprise_linux_server_aus	7.6	7.6.x
redhat / enterprise_linux	7.6	7.6.x
redhat / ansible_tower	3.3	3.3.x
canonical / ubuntu_linux	16.04	16.04.x
canonical / ubuntu_linux	14.04	14.04.x
canonical / ubuntu_linux	18.04	18.04.x
debian / debian_linux	9.0	9.0.x

Vulnerability Database

313,552

CVE-2018-17456

Deep Security Visibility Without the Complexity