6th October 2018, By Lawrence Abrams
The Git Project announced yesterday a critical arbitrary code execution vulnerability in the Git command line client, Git Desktop, and Atom that could allow malicious repositories to remotely execute commands on a vulnerable machine.
This vulnerability has been assigned the CVE-2018-17456 ID and is similar to a previous CVE-2017-1000117 option injection vulnerability. Like the previous vulnerability, a malicious repository can create a .gitmodules file that contains an URL that starts with a dash.
By using a dash, when Git clones a repository using the –recurse-submodules argument, the command will interpret the URL as an option, which could then be used to perform remote code execution on the computer.