The influence of CVE-2018-11235 more than expected. Even the Hyperledger project is included.

Git community disclosed a high serverity of vulnerabilies (CVE-2018-11235). Since the impact of this vulnerabilities might influence many software application.

The major design weakness of this vulnerability is that when you git clone a repository, there is some important configuration that you don’t get from the server includes .git/config file, and things like hooks, which are scripts that will be run at certain points within the git workflow. For instance, the post-checkout hook will be run anytime git checks files out into the working directory. As a result hacker can appended to $GIT_DIR/modules, leading to directory traversal with “../” in a name. Finally, post-checkout hooks from a submodule are executed, bypassing the intended design in which hooks are not obtained from a remote server. As a result, hacker has way to implant malware to the library.

This vulnerability also jeopardizing hyperledger project. Please refer to above diagram for reference.

For details of vulnerability. Please refer below:

https://nvd.nist.gov/vuln/detail/CVE-2018-11235

Solution

  • Examine submodule’s folder names closely.
  • No longer contain .. as a path segment, and they cannot be symbolic links.

The programming parameter must be within the .git repository folder.

One thought on “The influence of CVE-2018-11235 more than expected. Even the Hyperledger project is included.”

  1. I just like the helpful info you supply to your articles.
    I’ll bookmark your blog and check again right here regularly.

    I am somewhat certain I’ll be informed a lot of new stuff right right here!
    Best of luck for the following!

Comments are closed.