Public Date:
1269794: CVE-2015-7545 git: arbitrary code execution via crafted URLs
A flaw was found in the way the git-remote-ext helper processed certain URLs. If a user had Git configured to automatically clone submodules from untrusted repositories, an attacker could inject commands into the URL of a submodule, allowing them to execute arbitrary code on the user's system.

Find out more about CVE-2015-7545 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v2 metrics

Base Score 6.8
Base Metrics AV:N/AC:M/Au:N/C:P/I:P/A:P
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact Partial
Integrity Impact Partial
Availability Impact Partial

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat Security Errata

Platform Errata Release Date
Red Hat Software Collections for Red Hat Enterprise Linux 7 (git19-git) RHSA-2015:2515 2015-11-25
Red Hat Enterprise Linux 7 (git) RHSA-2015:2561 2015-12-08
Red Hat Software Collections for Red Hat Enterprise Linux 6 (git19-git) RHSA-2015:2515 2015-11-25

Affected Packages State

Platform Package State
Red Hat Enterprise Linux 6 git Not affected
Unless explicitly stated as not affected, all previous versions of packages in any minor update stream of a product listed here should be assumed vulnerable, although may not have been subject to full analysis.


Avoid recursive cloning or updating of git submodules without checking the submodule URL. Non-recursive cloning is the default in git, so user needs to change this to become vulnerable ("e.g. by specifying --recursive").

Last Modified