Patch/Configuration Management, Vulnerability Management

Patched bug in software configuration management tools can lead to malicious command execution

A vulnerability discovered in a series of revision control tools for software developers, including GitLab, Mercurial, and Apache Subversion (SVN), can be exploited to launch malicious command executions, according to the researcher who discovered it.

The flaw affects multiple products because it actually involves the "git clone" command, which they all use copy existing Git repositories, explains Joern Schneeweisz, a security researcher for Recurity Labs, via a Thursday blog post on Thursday. Back in May, Schneeweisz originally found the flaw in the open source extension Git LFS, a tool that GitHub developed to help users manage Large File Storage.

GitHub quickly resolved the problem, wrote Schneeweisz, but further analysis revealed in July that the same issue also impacted the three aforementioned software configuration management tools. In response, the various developers collectively addressed the bug with a series of new releases on Aug. 10.

The official Git vulnerability disclosure describes the issue as follows: "A malicious third-party can give a crafted 'ssh://...' URL to an unsuspecting victim, and an attempt to visit the URL can result in any program that exists on the victim's machine being executed. Such a URL could be placed in the .gitmodules file of a malicious project, and an unsuspecting victim could be tricked into running 'git clone --recurse-submodules' to trigger the vulnerability." The disclosure gives credit to Schneeweisz, as well as Brian Neel, security lead at GitLab, and Jeff King of GitHub.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.