Impact
If the clone URL returned by GitHub is malicious (or can be injected using upstream vulnerabilities), an argument injection is possible in the gettreesha() function. This can then lead to a potential RCE.
Patches
Users should upgrade immediately to v1.9.5. All prior versions are vulnerable.
Workarounds
None
References
Fixed by: #449 (which is available in v1.9.5).
Credits
Thanks to splitline from the DEVCORE Research Team for reporting this issue.
Impact
If the clone URL returned by GitHub is malicious (or can be injected using upstream vulnerabilities), an argument injection is possible in the
gettreesha()function. This can then lead to a potential RCE.Patches
Users should upgrade immediately to v1.9.5. All prior versions are vulnerable.
Workarounds
None
References
Fixed by: #449 (which is available in v1.9.5).
Credits
Thanks to splitline from the DEVCORE Research Team for reporting this issue.