A vulnerability discovered in a series of revision control tools for software developers, including GitLab, Mercurial, and Apache Subversion (SVN), can be exploited to launch malicious command executions, according to the researcher who discovered it.
The flaw affects multiple products because it actually involves the "git clone" command, which they all use copy existing Git repositories, explains Joern Schneeweisz, a security researcher for Recurity Labs, via a blog post last Thursday. Back in May, Schneeweisz originally found the flaw in the open source extension Git LFS, a tool that GitHub developed to help users manage Large File Storage.
GitHub quickly resolved the problem, wrote Schneeweisz, but further analysis revealed in July that the same issue also impacted the three aforementioned software configuration management tools. In response, the various developers collectively addressed the bug with a series of new releases on Aug. 10.
The official Git vulnerability disclosure describes the issue as follows: "A malicious third-party can give a crafted 'ssh://...' URL to an unsuspecting victim, and an attempt to visit the URL can result in any program that exists on the victim's machine being executed. Such a URL could be placed in the .gitmodules file of a malicious project, and an unsuspecting victim could be tricked into running 'git clone --recurse-submodules' to trigger the vulnerability." The disclosure gives credit to Schneeweisz, as well as Brian Neel, security lead at GitLab, and Jeff King of GitHub.