CVE-2016-2315

Published on: 04/08/2016 12:00:00 AM UTC

Last Modified on: 03/23/2021 11:27:15 PM UTC

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Certain versions of Git from Git-scm contain the following vulnerability:

revision.c in git before 2.7.4 uses an incorrect integer data type, which allows remote attackers to execute arbitrary code via a (1) long filename or (2) many nested trees, leading to a heap-based buffer overflow.

  • CVE-2016-2315 has been assigned by [email protected] to track the vulnerability - currently rated as - currently rated as CRITICAL severity.

CVSS3 Score: 9.8 - CRITICAL

Attack
Vector
Attack
Complexity
Privileges
Required
User
Interaction
NETWORK LOW NONE NONE
Scope Confidentiality
Impact
Integrity
Impact
Availability
Impact
UNCHANGED HIGH HIGH HIGH

CVSS2 Score: 10 - HIGH

Access
Vector
Access
Complexity
Authentication
NETWORK LOW NONE
Confidentiality
Impact
Integrity
Impact
Availability
Impact
COMPLETE COMPLETE COMPLETE

CVE References

Description Tags Link
[SECURITY] Fedora 22 Update: git-2.4.11-1.fc22 lists.fedoraproject.org
text/html
URL Logo FEDORA FEDORA-2016-cee7647200
Oracle Solaris Bulletin - April 2016 www.oracle.com
text/html
URL Logo CONFIRM www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
[security-announce] openSUSE-SU-2016:0831-1: important: Security update lists.opensuse.org
text/html
URL Logo SUSE openSUSE-SU-2016:0831
prefer memcpy to strcpy · git/[email protected] · GitHub github.com
text/html
URL Logo CONFIRM github.com/git/git/commit/34fa79a6cde56d6d428ab0d3160cb094ebad3305
Git Buffer Overflow Lets Remote Authenticated Users Execute Arbitrary Code - SecurityTracker www.securitytracker.com
text/html
URL Logo SECTRACK 1035290
[security-announce] SUSE-SU-2016:0798-1: important: Security update for lists.opensuse.org
text/html
URL Logo SUSE SUSE-SU-2016:0798
USN-2938-1: Git vulnerabilities | Ubuntu www.ubuntu.com
text/html
URL Logo UBUNTU USN-2938-1
[SECURITY] Fedora 24 Update: git-2.7.4-1.fc24 lists.fedoraproject.org
text/html
URL Logo FEDORA FEDORA-2016-8f164810c3
Pastebin.com - Not Found (#404) pastebin.com
text/html
Inactive LinkNot Archived
URL Logo MISC pastebin.com/UX2P2jjg
[security-announce] openSUSE-SU-2016:0826-1: important: Security update lists.opensuse.org
text/html
URL Logo SUSE openSUSE-SU-2016:0826
[SECURITY] Fedora 23 Update: git-2.5.5-1.fc23 lists.fedoraproject.org
text/html
URL Logo FEDORA FEDORA-2016-6554eff611
[security-announce] SUSE-SU-2016:0796-1: important: Security update for lists.opensuse.org
text/html
URL Logo SUSE SUSE-SU-2016:0796
openSUSE-SU-2016:0958-1: moderate: Security update for git lists.opensuse.org
text/html
URL Logo SUSE openSUSE-SU-2016:0958
Vendor Advisory
raw.githubusercontent.com
text/plain
CONFIRM raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.7.4.txt
Oracle Linux Bulletin - April 2016 www.oracle.com
text/html
URL Logo CONFIRM www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html
Debian -- Security Information -- DSA-3521-1 git www.debian.org
Depreciated Link
text/html
URL Logo DEBIAN DSA-3521
[security-announce] openSUSE-SU-2016:0832-1: important: Security update lists.opensuse.org
text/html
URL Logo SUSE openSUSE-SU-2016:0832
[security-announce] openSUSE-SU-2016:0802-1: important: Security update lists.opensuse.org
text/html
URL Logo SUSE openSUSE-SU-2016:0802
Red Hat Customer Portal web.archive.org
text/html
Inactive LinkNot Archived
URL Logo REDHAT RHSA-2016:0496
oss-security - server and client side remote code execution through a bu ffer overflow in all git versions before 2.7.1 (unpublished ᴄᴠᴇ-2016-2324 and ᴄᴠᴇ‑2016‑2315) www.openwall.com
text/html
URL Logo MLIST [oss-security] 20160315 server and client side remote code execution through a bu ffer overflow in all git versions before 2.7.1 (unpublished ᴄᴠᴇ-2016-2324 and ᴄᴠᴇ-2016-2315)
list-objects: pass full pathname to callbacks · git/[email protected] · GitHub github.com
text/html
URL Logo CONFIRM github.com/git/git/commit/de1e67d0703894cb6ea782e36abb63976ab07e60
GIT Multiple Heap Based Buffer Overflow Vulnerabilities cve.report (archive)
text/html
URL Logo BID 84355
[security-announce] openSUSE-SU-2016:0829-1: important: Security update lists.opensuse.org
text/html
URL Logo SUSE openSUSE-SU-2016:0829
[security-announce] openSUSE-SU-2016:0803-1: important: Security update lists.opensuse.org
text/html
URL Logo SUSE openSUSE-SU-2016:0803
Git: Multiple vulnerabilities (GLSA 201605-01) — Gentoo security security.gentoo.org
text/html
URL Logo GENTOO GLSA-201605-01

Known Affected Configurations (CPE V2.3)

Type Vendor Product Version Update Edition Language
ApplicationGit-scmGit2.7.3AllAllAll
ApplicationGit-scmGit2.7.3AllAllAll
Operating
System
OpensuseLeap42.1AllAllAll
Operating
System
OpensuseLeap42.1AllAllAll
Operating
System
OpensuseOpensuse13.2AllAllAll
Operating
System
OpensuseOpensuse13.2AllAllAll
ApplicationSuseLinux Enterprise Debuginfo11sp4AllAll
ApplicationSuseLinux Enterprise Debuginfo11sp4AllAll
Operating
System
SuseLinux Enterprise Server12sp1AllAll
Operating
System
SuseLinux Enterprise Server12sp1AllAll
ApplicationSuseLinux Enterprise Software Development Kit11.0sp4AllAll
Operating
System
SuseLinux Enterprise Software Development Kit12AllAllAll
Operating
System
SuseLinux Enterprise Software Development Kit12sp1AllAll
ApplicationSuseLinux Enterprise Software Development Kit11.0sp4AllAll
Operating
System
SuseLinux Enterprise Software Development Kit12AllAllAll
Operating
System
SuseLinux Enterprise Software Development Kit12sp1AllAll
ApplicationSuseOpenstack Cloud5AllAllAll
ApplicationSuseOpenstack Cloud5AllAllAll
Operating
System
SuseSuse Linux Enterprise Server12AllAllAll
Operating
System
SuseSuse Linux Enterprise Server12AllAllAll
  • cpe:2.3:a:git-scm:git:2.7.3:*:*:*:*:*:*:*:
  • cpe:2.3:a:git-scm:git:2.7.3:*:*:*:*:*:*:*:
  • cpe:2.3:o:opensuse:leap:42.1:*:*:*:*:*:*:*:
  • cpe:2.3:o:opensuse:leap:42.1:*:*:*:*:*:*:*:
  • cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*:
  • cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*:
  • cpe:2.3:a:suse:linux_enterprise_debuginfo:11:sp4:*:*:*:*:*:*:
  • cpe:2.3:a:suse:linux_enterprise_debuginfo:11:sp4:*:*:*:*:*:*:
  • cpe:2.3:o:suse:linux_enterprise_server:12:sp1:*:*:*:*:*:*:
  • cpe:2.3:o:suse:linux_enterprise_server:12:sp1:*:*:*:*:*:*:
  • cpe:2.3:a:suse:linux_enterprise_software_development_kit:11.0:sp4:*:*:*:*:*:*:
  • cpe:2.3:o:suse:linux_enterprise_software_development_kit:12:*:*:*:*:*:*:*:
  • cpe:2.3:o:suse:linux_enterprise_software_development_kit:12:sp1:*:*:*:*:*:*:
  • cpe:2.3:a:suse:linux_enterprise_software_development_kit:11.0:sp4:*:*:*:*:*:*:
  • cpe:2.3:o:suse:linux_enterprise_software_development_kit:12:*:*:*:*:*:*:*:
  • cpe:2.3:o:suse:linux_enterprise_software_development_kit:12:sp1:*:*:*:*:*:*:
  • cpe:2.3:a:suse:openstack_cloud:5:*:*:*:*:*:*:*:
  • cpe:2.3:a:suse:openstack_cloud:5:*:*:*:*:*:*:*:
  • cpe:2.3:o:suse:suse_linux_enterprise_server:12:*:*:*:*:*:*:*:
  • cpe:2.3:o:suse:suse_linux_enterprise_server:12:*:*:*:*:*:*:*: