The Git Project has disclosed the existence of a severe vulnerability which can lead to the execution of arbitrary code. The vulnerability, CVE-2018-17456, was disclosed last Friday. The option-injection attack can be used to compromise the software’s submodules. Malicious repositories which are cloned and use a .gitmodules file with a URL field beginning with a ‘-‘ character can be used to execute code at the time of processing.
The latest version of the software, Git v2.19.1, has been released with a patch designed to resolve the security flaw. In addition, the Git Project has released backports for versions v2.14.5, v2.15.3, v2.16.5, v2.17.2, and v2.18.1 to eradicate the severe bug in older software.
Read more about the critical Git Project vulnerability on ZDNet.