csaf_redhat - rhsa-2025:13276

rhsa-2025:13276

Vulnerability from csaf_redhat

Published

2025-08-07 06:31

Modified

2025-08-20 07:12

Summary

Red Hat Security Advisory: updated RHEL-8 based Middleware Containers container images

Notes

Topic

Updated RHEL-8 based Middleware Containers container images are now available

Details

The RHEL-8 based Middleware Containers container images have been updated to address the following security advisory: RHSA-2025:11534 (see References) Users of RHEL-8 based Middleware Containers container images are advised to upgrade to these updated images, which contain backported patches to correct these security issues, fix these bugs and add these enhancements. Users of these images are also encouraged to rebuild all container images that depend on these images. You can find images updated by this advisory in Red Hat Container Catalog (see References).

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Updated RHEL-8 based Middleware Containers container images are now available",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "The RHEL-8 based Middleware Containers container images have been updated to address the following security advisory: RHSA-2025:11534 (see References)\n\nUsers of RHEL-8 based Middleware Containers container images are advised to upgrade to these updated images, which contain backported patches to correct these security issues, fix these bugs and add these enhancements. Users of these images are also encouraged to rebuild all container images that depend on these images.\n\nYou can find images updated by this advisory in Red Hat Container Catalog (see References).",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2025:13276",
        "url": "https://access.redhat.com/errata/RHSA-2025:13276"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/errata/RHSA-2025:11534",
        "url": "https://access.redhat.com/errata/RHSA-2025:11534"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/containers",
        "url": "https://access.redhat.com/containers"
      },
      {
        "category": "external",
        "summary": "2279632",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2279632"
      },
      {
        "category": "external",
        "summary": "2325340",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2325340"
      },
      {
        "category": "external",
        "summary": "2337824",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2337824"
      },
      {
        "category": "external",
        "summary": "2337956",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2337956"
      },
      {
        "category": "external",
        "summary": "2364265",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2364265"
      },
      {
        "category": "external",
        "summary": "2378806",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2378806"
      },
      {
        "category": "external",
        "summary": "2378808",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2378808"
      },
      {
        "category": "external",
        "summary": "2379124",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2379124"
      },
      {
        "category": "external",
        "summary": "2379125",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2379125"
      },
      {
        "category": "external",
        "summary": "2379326",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2379326"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_13276.json"
      }
    ],
    "title": "Red Hat Security Advisory: updated RHEL-8 based Middleware Containers container images",
    "tracking": {
      "current_release_date": "2025-08-20T07:12:50+00:00",
      "generator": {
        "date": "2025-08-20T07:12:50+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.6.6"
        }
      },
      "id": "RHSA-2025:13276",
      "initial_release_date": "2025-08-07T06:31:06+00:00",
      "revision_history": [
        {
          "date": "2025-08-07T06:31:06+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2025-08-07T06:31:06+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2025-08-20T07:12:50+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Middleware Containers for OpenShift",
                "product": {
                  "name": "Middleware Containers for OpenShift",
                  "product_id": "8Base-RHOSE-Middleware",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:rhosemc:1.0::el8"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat OpenShift Enterprise"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "rhpam-7/rhpam-businesscentral-monitoring-rhel8@sha256:26a7fe83f3a34f02c2d0fdb0c67958166d79e47d264e7538e7c041c73af8406b_amd64",
                "product": {
                  "name": "rhpam-7/rhpam-businesscentral-monitoring-rhel8@sha256:26a7fe83f3a34f02c2d0fdb0c67958166d79e47d264e7538e7c041c73af8406b_amd64",
                  "product_id": "rhpam-7/rhpam-businesscentral-monitoring-rhel8@sha256:26a7fe83f3a34f02c2d0fdb0c67958166d79e47d264e7538e7c041c73af8406b_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/rhpam-businesscentral-monitoring-rhel8@sha256:26a7fe83f3a34f02c2d0fdb0c67958166d79e47d264e7538e7c041c73af8406b?arch=amd64\u0026repository_url=registry.redhat.io/rhpam-7/rhpam-businesscentral-monitoring-rhel8\u0026tag=7.13.5-4.1753280805"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhpam-7/rhpam-businesscentral-rhel8@sha256:b4804f253e75441ba011a85a38673f1499b11df42e7d63a5d850e2e7f99c4f63_amd64",
                "product": {
                  "name": "rhpam-7/rhpam-businesscentral-rhel8@sha256:b4804f253e75441ba011a85a38673f1499b11df42e7d63a5d850e2e7f99c4f63_amd64",
                  "product_id": "rhpam-7/rhpam-businesscentral-rhel8@sha256:b4804f253e75441ba011a85a38673f1499b11df42e7d63a5d850e2e7f99c4f63_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/rhpam-businesscentral-rhel8@sha256:b4804f253e75441ba011a85a38673f1499b11df42e7d63a5d850e2e7f99c4f63?arch=amd64\u0026repository_url=registry.redhat.io/rhpam-7/rhpam-businesscentral-rhel8\u0026tag=7.13.5-4.1753280812"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhpam-7/rhpam-controller-rhel8@sha256:b6344cd0cfa033dca638dffa1d6f05b1b44c49cec805a4bead4bb31e967152e7_amd64",
                "product": {
                  "name": "rhpam-7/rhpam-controller-rhel8@sha256:b6344cd0cfa033dca638dffa1d6f05b1b44c49cec805a4bead4bb31e967152e7_amd64",
                  "product_id": "rhpam-7/rhpam-controller-rhel8@sha256:b6344cd0cfa033dca638dffa1d6f05b1b44c49cec805a4bead4bb31e967152e7_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/rhpam-controller-rhel8@sha256:b6344cd0cfa033dca638dffa1d6f05b1b44c49cec805a4bead4bb31e967152e7?arch=amd64\u0026repository_url=registry.redhat.io/rhpam-7/rhpam-controller-rhel8\u0026tag=7.13.5-4.1752676933"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhpam-7/rhpam-dashbuilder-rhel8@sha256:47dacb456c1349638195e8d1a13224f63c1675199fc819803b50b617b9442c60_amd64",
                "product": {
                  "name": "rhpam-7/rhpam-dashbuilder-rhel8@sha256:47dacb456c1349638195e8d1a13224f63c1675199fc819803b50b617b9442c60_amd64",
                  "product_id": "rhpam-7/rhpam-dashbuilder-rhel8@sha256:47dacb456c1349638195e8d1a13224f63c1675199fc819803b50b617b9442c60_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/rhpam-dashbuilder-rhel8@sha256:47dacb456c1349638195e8d1a13224f63c1675199fc819803b50b617b9442c60?arch=amd64\u0026repository_url=registry.redhat.io/rhpam-7/rhpam-dashbuilder-rhel8\u0026tag=7.13.5-3.1752676926"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhpam-7/rhpam-kieserver-rhel8@sha256:1b23a90b54af8f3d61cd9b1cad05cf30f0225af6d8cf1f833e21b0630623070a_amd64",
                "product": {
                  "name": "rhpam-7/rhpam-kieserver-rhel8@sha256:1b23a90b54af8f3d61cd9b1cad05cf30f0225af6d8cf1f833e21b0630623070a_amd64",
                  "product_id": "rhpam-7/rhpam-kieserver-rhel8@sha256:1b23a90b54af8f3d61cd9b1cad05cf30f0225af6d8cf1f833e21b0630623070a_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/rhpam-kieserver-rhel8@sha256:1b23a90b54af8f3d61cd9b1cad05cf30f0225af6d8cf1f833e21b0630623070a?arch=amd64\u0026repository_url=registry.redhat.io/rhpam-7/rhpam-kieserver-rhel8\u0026tag=7.13.5-4.1752676932"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhpam-7/rhpam-process-migration-rhel8@sha256:3c56a1235f0a61744b38b4b579b91b179ba07ae001ead41c64579bd9fd1b4f9c_amd64",
                "product": {
                  "name": "rhpam-7/rhpam-process-migration-rhel8@sha256:3c56a1235f0a61744b38b4b579b91b179ba07ae001ead41c64579bd9fd1b4f9c_amd64",
                  "product_id": "rhpam-7/rhpam-process-migration-rhel8@sha256:3c56a1235f0a61744b38b4b579b91b179ba07ae001ead41c64579bd9fd1b4f9c_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/rhpam-process-migration-rhel8@sha256:3c56a1235f0a61744b38b4b579b91b179ba07ae001ead41c64579bd9fd1b4f9c?arch=amd64\u0026repository_url=registry.redhat.io/rhpam-7/rhpam-process-migration-rhel8\u0026tag=7.13.5-4.1752676925"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhpam-7/rhpam-rhel8-operator@sha256:add1edfb633e14a4d23794b80ca0d3f96720d33e11c132580d7b58bf29f9a167_amd64",
                "product": {
                  "name": "rhpam-7/rhpam-rhel8-operator@sha256:add1edfb633e14a4d23794b80ca0d3f96720d33e11c132580d7b58bf29f9a167_amd64",
                  "product_id": "rhpam-7/rhpam-rhel8-operator@sha256:add1edfb633e14a4d23794b80ca0d3f96720d33e11c132580d7b58bf29f9a167_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/rhpam-rhel8-operator@sha256:add1edfb633e14a4d23794b80ca0d3f96720d33e11c132580d7b58bf29f9a167?arch=amd64\u0026repository_url=registry.redhat.io/rhpam-7/rhpam-rhel8-operator\u0026tag=7.13.5-2.1752676931"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhpam-7/rhpam-smartrouter-rhel8@sha256:63fad8909d38e5f5e5bdb539f025bd95f1d2ec7cc6b6ee5e9b48e36036d19484_amd64",
                "product": {
                  "name": "rhpam-7/rhpam-smartrouter-rhel8@sha256:63fad8909d38e5f5e5bdb539f025bd95f1d2ec7cc6b6ee5e9b48e36036d19484_amd64",
                  "product_id": "rhpam-7/rhpam-smartrouter-rhel8@sha256:63fad8909d38e5f5e5bdb539f025bd95f1d2ec7cc6b6ee5e9b48e36036d19484_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/rhpam-smartrouter-rhel8@sha256:63fad8909d38e5f5e5bdb539f025bd95f1d2ec7cc6b6ee5e9b48e36036d19484?arch=amd64\u0026repository_url=registry.redhat.io/rhpam-7/rhpam-smartrouter-rhel8\u0026tag=7.13.5-4.1752676930"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhpam-7/rhpam-operator-bundle@sha256:b005ca81fb10121bed0422266e415164d58fc48d85e1fe5b4d36a3a222c249f1_amd64",
                "product": {
                  "name": "rhpam-7/rhpam-operator-bundle@sha256:b005ca81fb10121bed0422266e415164d58fc48d85e1fe5b4d36a3a222c249f1_amd64",
                  "product_id": "rhpam-7/rhpam-operator-bundle@sha256:b005ca81fb10121bed0422266e415164d58fc48d85e1fe5b4d36a3a222c249f1_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/rhpam-operator-bundle@sha256:b005ca81fb10121bed0422266e415164d58fc48d85e1fe5b4d36a3a222c249f1?arch=amd64\u0026repository_url=registry.redhat.io/rhpam-7/rhpam-operator-bundle\u0026tag=7.13.5-27"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "amd64"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhpam-7/rhpam-businesscentral-monitoring-rhel8@sha256:26a7fe83f3a34f02c2d0fdb0c67958166d79e47d264e7538e7c041c73af8406b_amd64 as a component of Middleware Containers for OpenShift",
          "product_id": "8Base-RHOSE-Middleware:rhpam-7/rhpam-businesscentral-monitoring-rhel8@sha256:26a7fe83f3a34f02c2d0fdb0c67958166d79e47d264e7538e7c041c73af8406b_amd64"
        },
        "product_reference": "rhpam-7/rhpam-businesscentral-monitoring-rhel8@sha256:26a7fe83f3a34f02c2d0fdb0c67958166d79e47d264e7538e7c041c73af8406b_amd64",
        "relates_to_product_reference": "8Base-RHOSE-Middleware"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhpam-7/rhpam-businesscentral-rhel8@sha256:b4804f253e75441ba011a85a38673f1499b11df42e7d63a5d850e2e7f99c4f63_amd64 as a component of Middleware Containers for OpenShift",
          "product_id": "8Base-RHOSE-Middleware:rhpam-7/rhpam-businesscentral-rhel8@sha256:b4804f253e75441ba011a85a38673f1499b11df42e7d63a5d850e2e7f99c4f63_amd64"
        },
        "product_reference": "rhpam-7/rhpam-businesscentral-rhel8@sha256:b4804f253e75441ba011a85a38673f1499b11df42e7d63a5d850e2e7f99c4f63_amd64",
        "relates_to_product_reference": "8Base-RHOSE-Middleware"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhpam-7/rhpam-controller-rhel8@sha256:b6344cd0cfa033dca638dffa1d6f05b1b44c49cec805a4bead4bb31e967152e7_amd64 as a component of Middleware Containers for OpenShift",
          "product_id": "8Base-RHOSE-Middleware:rhpam-7/rhpam-controller-rhel8@sha256:b6344cd0cfa033dca638dffa1d6f05b1b44c49cec805a4bead4bb31e967152e7_amd64"
        },
        "product_reference": "rhpam-7/rhpam-controller-rhel8@sha256:b6344cd0cfa033dca638dffa1d6f05b1b44c49cec805a4bead4bb31e967152e7_amd64",
        "relates_to_product_reference": "8Base-RHOSE-Middleware"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhpam-7/rhpam-dashbuilder-rhel8@sha256:47dacb456c1349638195e8d1a13224f63c1675199fc819803b50b617b9442c60_amd64 as a component of Middleware Containers for OpenShift",
          "product_id": "8Base-RHOSE-Middleware:rhpam-7/rhpam-dashbuilder-rhel8@sha256:47dacb456c1349638195e8d1a13224f63c1675199fc819803b50b617b9442c60_amd64"
        },
        "product_reference": "rhpam-7/rhpam-dashbuilder-rhel8@sha256:47dacb456c1349638195e8d1a13224f63c1675199fc819803b50b617b9442c60_amd64",
        "relates_to_product_reference": "8Base-RHOSE-Middleware"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhpam-7/rhpam-kieserver-rhel8@sha256:1b23a90b54af8f3d61cd9b1cad05cf30f0225af6d8cf1f833e21b0630623070a_amd64 as a component of Middleware Containers for OpenShift",
          "product_id": "8Base-RHOSE-Middleware:rhpam-7/rhpam-kieserver-rhel8@sha256:1b23a90b54af8f3d61cd9b1cad05cf30f0225af6d8cf1f833e21b0630623070a_amd64"
        },
        "product_reference": "rhpam-7/rhpam-kieserver-rhel8@sha256:1b23a90b54af8f3d61cd9b1cad05cf30f0225af6d8cf1f833e21b0630623070a_amd64",
        "relates_to_product_reference": "8Base-RHOSE-Middleware"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhpam-7/rhpam-operator-bundle@sha256:b005ca81fb10121bed0422266e415164d58fc48d85e1fe5b4d36a3a222c249f1_amd64 as a component of Middleware Containers for OpenShift",
          "product_id": "8Base-RHOSE-Middleware:rhpam-7/rhpam-operator-bundle@sha256:b005ca81fb10121bed0422266e415164d58fc48d85e1fe5b4d36a3a222c249f1_amd64"
        },
        "product_reference": "rhpam-7/rhpam-operator-bundle@sha256:b005ca81fb10121bed0422266e415164d58fc48d85e1fe5b4d36a3a222c249f1_amd64",
        "relates_to_product_reference": "8Base-RHOSE-Middleware"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhpam-7/rhpam-process-migration-rhel8@sha256:3c56a1235f0a61744b38b4b579b91b179ba07ae001ead41c64579bd9fd1b4f9c_amd64 as a component of Middleware Containers for OpenShift",
          "product_id": "8Base-RHOSE-Middleware:rhpam-7/rhpam-process-migration-rhel8@sha256:3c56a1235f0a61744b38b4b579b91b179ba07ae001ead41c64579bd9fd1b4f9c_amd64"
        },
        "product_reference": "rhpam-7/rhpam-process-migration-rhel8@sha256:3c56a1235f0a61744b38b4b579b91b179ba07ae001ead41c64579bd9fd1b4f9c_amd64",
        "relates_to_product_reference": "8Base-RHOSE-Middleware"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhpam-7/rhpam-rhel8-operator@sha256:add1edfb633e14a4d23794b80ca0d3f96720d33e11c132580d7b58bf29f9a167_amd64 as a component of Middleware Containers for OpenShift",
          "product_id": "8Base-RHOSE-Middleware:rhpam-7/rhpam-rhel8-operator@sha256:add1edfb633e14a4d23794b80ca0d3f96720d33e11c132580d7b58bf29f9a167_amd64"
        },
        "product_reference": "rhpam-7/rhpam-rhel8-operator@sha256:add1edfb633e14a4d23794b80ca0d3f96720d33e11c132580d7b58bf29f9a167_amd64",
        "relates_to_product_reference": "8Base-RHOSE-Middleware"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhpam-7/rhpam-smartrouter-rhel8@sha256:63fad8909d38e5f5e5bdb539f025bd95f1d2ec7cc6b6ee5e9b48e36036d19484_amd64 as a component of Middleware Containers for OpenShift",
          "product_id": "8Base-RHOSE-Middleware:rhpam-7/rhpam-smartrouter-rhel8@sha256:63fad8909d38e5f5e5bdb539f025bd95f1d2ec7cc6b6ee5e9b48e36036d19484_amd64"
        },
        "product_reference": "rhpam-7/rhpam-smartrouter-rhel8@sha256:63fad8909d38e5f5e5bdb539f025bd95f1d2ec7cc6b6ee5e9b48e36036d19484_amd64",
        "relates_to_product_reference": "8Base-RHOSE-Middleware"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-48384",
      "cwe": {
        "id": "CWE-59",
        "name": "Improper Link Resolution Before File Access (\u0027Link Following\u0027)"
      },
      "discovery_date": "2025-07-08T19:00:48.297925+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2378806"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A line-end handling flaw was found in Git. When writing a config entry, values with a trailing carriage return (CR) are not quoted, resulting in the CR being lost when the config is read later. When initializing a submodule, if the submodule path contains a trailing CR, the altered path is read, resulting in the submodule being checked out to an incorrect location.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "git: Git arbitrary code execution",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This vulnerability marked as Important and not Moderate flaw because it undermines Git\u2019s path and config integrity by allowing carriage return (\\r) injection to manipulate submodule checkout behavior. Git previously failed to quote config values containing trailing CR, causing the value to be misinterpreted when read back. In the context of submodules, this leads to incorrect path resolution, allowing an attacker to redirect the checkout path via a symlink to a sensitive directory like .git/modules/\u003csubmodule\u003e/hooks. If an executable post-checkout hook exists there, it could be inadvertently executed, resulting in arbitrary code execution during submodule operations. This is particularly dangerous in automated CI/CD pipelines or multi-repo projects where submodules are initialized or updated without manual inspection.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-RHOSE-Middleware:rhpam-7/rhpam-businesscentral-monitoring-rhel8@sha256:26a7fe83f3a34f02c2d0fdb0c67958166d79e47d264e7538e7c041c73af8406b_amd64",
          "8Base-RHOSE-Middleware:rhpam-7/rhpam-businesscentral-rhel8@sha256:b4804f253e75441ba011a85a38673f1499b11df42e7d63a5d850e2e7f99c4f63_amd64",
          "8Base-RHOSE-Middleware:rhpam-7/rhpam-controller-rhel8@sha256:b6344cd0cfa033dca638dffa1d6f05b1b44c49cec805a4bead4bb31e967152e7_amd64",
          "8Base-RHOSE-Middleware:rhpam-7/rhpam-dashbuilder-rhel8@sha256:47dacb456c1349638195e8d1a13224f63c1675199fc819803b50b617b9442c60_amd64",
          "8Base-RHOSE-Middleware:rhpam-7/rhpam-kieserver-rhel8@sha256:1b23a90b54af8f3d61cd9b1cad05cf30f0225af6d8cf1f833e21b0630623070a_amd64",
          "8Base-RHOSE-Middleware:rhpam-7/rhpam-operator-bundle@sha256:b005ca81fb10121bed0422266e415164d58fc48d85e1fe5b4d36a3a222c249f1_amd64",
          "8Base-RHOSE-Middleware:rhpam-7/rhpam-process-migration-rhel8@sha256:3c56a1235f0a61744b38b4b579b91b179ba07ae001ead41c64579bd9fd1b4f9c_amd64",
          "8Base-RHOSE-Middleware:rhpam-7/rhpam-rhel8-operator@sha256:add1edfb633e14a4d23794b80ca0d3f96720d33e11c132580d7b58bf29f9a167_amd64",
          "8Base-RHOSE-Middleware:rhpam-7/rhpam-smartrouter-rhel8@sha256:63fad8909d38e5f5e5bdb539f025bd95f1d2ec7cc6b6ee5e9b48e36036d19484_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-48384"
        },
        {
          "category": "external",
          "summary": "RHBZ#2378806",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2378806"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-48384",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-48384"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-48384",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48384"
        },
        {
          "category": "external",
          "summary": "https://dgl.cx/2025/07/git-clone-submodule-cve-2025-48384",
          "url": "https://dgl.cx/2025/07/git-clone-submodule-cve-2025-48384"
        },
        {
          "category": "external",
          "summary": "https://github.com/git/git/commit/05e9cd64ee23bbadcea6bcffd6660ed02b8eab89",
          "url": "https://github.com/git/git/commit/05e9cd64ee23bbadcea6bcffd6660ed02b8eab89"
        },
        {
          "category": "external",
          "summary": "https://github.com/git/git/security/advisories/GHSA-vwqx-4fm8-6qc9",
          "url": "https://github.com/git/git/security/advisories/GHSA-vwqx-4fm8-6qc9"
        }
      ],
      "release_date": "2025-07-08T18:23:48.710000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-08-07T06:31:06+00:00",
          "details": "The RHEL-8 based Middleware Containers container images provided by this update can be downloaded from the Red Hat Container Registry at registry.access.redhat.com. Installation instructions for your platform are available at Red Hat Container Catalog (see References).\n\nDockerfiles and scripts should be amended either to refer to this new image specifically, or to the latest image generally.",
          "product_ids": [
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-businesscentral-monitoring-rhel8@sha256:26a7fe83f3a34f02c2d0fdb0c67958166d79e47d264e7538e7c041c73af8406b_amd64",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-businesscentral-rhel8@sha256:b4804f253e75441ba011a85a38673f1499b11df42e7d63a5d850e2e7f99c4f63_amd64",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-controller-rhel8@sha256:b6344cd0cfa033dca638dffa1d6f05b1b44c49cec805a4bead4bb31e967152e7_amd64",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-dashbuilder-rhel8@sha256:47dacb456c1349638195e8d1a13224f63c1675199fc819803b50b617b9442c60_amd64",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-kieserver-rhel8@sha256:1b23a90b54af8f3d61cd9b1cad05cf30f0225af6d8cf1f833e21b0630623070a_amd64",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-operator-bundle@sha256:b005ca81fb10121bed0422266e415164d58fc48d85e1fe5b4d36a3a222c249f1_amd64",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-process-migration-rhel8@sha256:3c56a1235f0a61744b38b4b579b91b179ba07ae001ead41c64579bd9fd1b4f9c_amd64",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-rhel8-operator@sha256:add1edfb633e14a4d23794b80ca0d3f96720d33e11c132580d7b58bf29f9a167_amd64",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-smartrouter-rhel8@sha256:63fad8909d38e5f5e5bdb539f025bd95f1d2ec7cc6b6ee5e9b48e36036d19484_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:13276"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-businesscentral-monitoring-rhel8@sha256:26a7fe83f3a34f02c2d0fdb0c67958166d79e47d264e7538e7c041c73af8406b_amd64",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-businesscentral-rhel8@sha256:b4804f253e75441ba011a85a38673f1499b11df42e7d63a5d850e2e7f99c4f63_amd64",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-controller-rhel8@sha256:b6344cd0cfa033dca638dffa1d6f05b1b44c49cec805a4bead4bb31e967152e7_amd64",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-dashbuilder-rhel8@sha256:47dacb456c1349638195e8d1a13224f63c1675199fc819803b50b617b9442c60_amd64",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-kieserver-rhel8@sha256:1b23a90b54af8f3d61cd9b1cad05cf30f0225af6d8cf1f833e21b0630623070a_amd64",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-operator-bundle@sha256:b005ca81fb10121bed0422266e415164d58fc48d85e1fe5b4d36a3a222c249f1_amd64",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-process-migration-rhel8@sha256:3c56a1235f0a61744b38b4b579b91b179ba07ae001ead41c64579bd9fd1b4f9c_amd64",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-rhel8-operator@sha256:add1edfb633e14a4d23794b80ca0d3f96720d33e11c132580d7b58bf29f9a167_amd64",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-smartrouter-rhel8@sha256:63fad8909d38e5f5e5bdb539f025bd95f1d2ec7cc6b6ee5e9b48e36036d19484_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.0,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-businesscentral-monitoring-rhel8@sha256:26a7fe83f3a34f02c2d0fdb0c67958166d79e47d264e7538e7c041c73af8406b_amd64",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-businesscentral-rhel8@sha256:b4804f253e75441ba011a85a38673f1499b11df42e7d63a5d850e2e7f99c4f63_amd64",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-controller-rhel8@sha256:b6344cd0cfa033dca638dffa1d6f05b1b44c49cec805a4bead4bb31e967152e7_amd64",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-dashbuilder-rhel8@sha256:47dacb456c1349638195e8d1a13224f63c1675199fc819803b50b617b9442c60_amd64",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-kieserver-rhel8@sha256:1b23a90b54af8f3d61cd9b1cad05cf30f0225af6d8cf1f833e21b0630623070a_amd64",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-operator-bundle@sha256:b005ca81fb10121bed0422266e415164d58fc48d85e1fe5b4d36a3a222c249f1_amd64",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-process-migration-rhel8@sha256:3c56a1235f0a61744b38b4b579b91b179ba07ae001ead41c64579bd9fd1b4f9c_amd64",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-rhel8-operator@sha256:add1edfb633e14a4d23794b80ca0d3f96720d33e11c132580d7b58bf29f9a167_amd64",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-smartrouter-rhel8@sha256:63fad8909d38e5f5e5bdb539f025bd95f1d2ec7cc6b6ee5e9b48e36036d19484_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "git: Git arbitrary code execution"
    },
    {
      "cve": "CVE-2025-48385",
      "cwe": {
        "id": "CWE-88",
        "name": "Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027)"
      },
      "discovery_date": "2025-07-08T19:00:55.106787+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2378808"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A bundled uri handling flaw was found in Git. When cloning a repository, Git knows to optionally fetch a bundle advertised by the remote server, which allows the server side to offload parts of the clone to a CDN. The Git client does not perform sufficient validation of the advertised bundles, which allows the remote side to perform protocol injection.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "git: Git arbitrary file writes",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This vulnerability marked as Important rather than a Moderate flaw because it enables protocol injection at the transport layer of Git\u0027s bundle-uri mechanism, allowing a remote server to manipulate how and where data is written on the client system during a clone operation. The lack of input sanitization on user-controlled values like the URI and target path means that malformed inputs containing spaces or newlines can break protocol framing, leading to arbitrary file writes. In scenarios such as CI pipelines, developer environments, or recursive clones with submodules, an attacker can exploit this to overwrite critical files or inject malicious content, potentially achieving remote code execution (RCE).",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-RHOSE-Middleware:rhpam-7/rhpam-businesscentral-monitoring-rhel8@sha256:26a7fe83f3a34f02c2d0fdb0c67958166d79e47d264e7538e7c041c73af8406b_amd64",
          "8Base-RHOSE-Middleware:rhpam-7/rhpam-businesscentral-rhel8@sha256:b4804f253e75441ba011a85a38673f1499b11df42e7d63a5d850e2e7f99c4f63_amd64",
          "8Base-RHOSE-Middleware:rhpam-7/rhpam-controller-rhel8@sha256:b6344cd0cfa033dca638dffa1d6f05b1b44c49cec805a4bead4bb31e967152e7_amd64",
          "8Base-RHOSE-Middleware:rhpam-7/rhpam-dashbuilder-rhel8@sha256:47dacb456c1349638195e8d1a13224f63c1675199fc819803b50b617b9442c60_amd64",
          "8Base-RHOSE-Middleware:rhpam-7/rhpam-kieserver-rhel8@sha256:1b23a90b54af8f3d61cd9b1cad05cf30f0225af6d8cf1f833e21b0630623070a_amd64",
          "8Base-RHOSE-Middleware:rhpam-7/rhpam-operator-bundle@sha256:b005ca81fb10121bed0422266e415164d58fc48d85e1fe5b4d36a3a222c249f1_amd64",
          "8Base-RHOSE-Middleware:rhpam-7/rhpam-process-migration-rhel8@sha256:3c56a1235f0a61744b38b4b579b91b179ba07ae001ead41c64579bd9fd1b4f9c_amd64",
          "8Base-RHOSE-Middleware:rhpam-7/rhpam-rhel8-operator@sha256:add1edfb633e14a4d23794b80ca0d3f96720d33e11c132580d7b58bf29f9a167_amd64",
          "8Base-RHOSE-Middleware:rhpam-7/rhpam-smartrouter-rhel8@sha256:63fad8909d38e5f5e5bdb539f025bd95f1d2ec7cc6b6ee5e9b48e36036d19484_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-48385"
        },
        {
          "category": "external",
          "summary": "RHBZ#2378808",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2378808"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-48385",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-48385"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-48385",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48385"
        },
        {
          "category": "external",
          "summary": "https://github.com/git/git/security/advisories/GHSA-m98c-vgpc-9655",
          "url": "https://github.com/git/git/security/advisories/GHSA-m98c-vgpc-9655"
        }
      ],
      "release_date": "2025-07-08T18:23:44.405000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-08-07T06:31:06+00:00",
          "details": "The RHEL-8 based Middleware Containers container images provided by this update can be downloaded from the Red Hat Container Registry at registry.access.redhat.com. Installation instructions for your platform are available at Red Hat Container Catalog (see References).\n\nDockerfiles and scripts should be amended either to refer to this new image specifically, or to the latest image generally.",
          "product_ids": [
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-businesscentral-monitoring-rhel8@sha256:26a7fe83f3a34f02c2d0fdb0c67958166d79e47d264e7538e7c041c73af8406b_amd64",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-businesscentral-rhel8@sha256:b4804f253e75441ba011a85a38673f1499b11df42e7d63a5d850e2e7f99c4f63_amd64",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-controller-rhel8@sha256:b6344cd0cfa033dca638dffa1d6f05b1b44c49cec805a4bead4bb31e967152e7_amd64",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-dashbuilder-rhel8@sha256:47dacb456c1349638195e8d1a13224f63c1675199fc819803b50b617b9442c60_amd64",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-kieserver-rhel8@sha256:1b23a90b54af8f3d61cd9b1cad05cf30f0225af6d8cf1f833e21b0630623070a_amd64",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-operator-bundle@sha256:b005ca81fb10121bed0422266e415164d58fc48d85e1fe5b4d36a3a222c249f1_amd64",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-process-migration-rhel8@sha256:3c56a1235f0a61744b38b4b579b91b179ba07ae001ead41c64579bd9fd1b4f9c_amd64",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-rhel8-operator@sha256:add1edfb633e14a4d23794b80ca0d3f96720d33e11c132580d7b58bf29f9a167_amd64",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-smartrouter-rhel8@sha256:63fad8909d38e5f5e5bdb539f025bd95f1d2ec7cc6b6ee5e9b48e36036d19484_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:13276"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-businesscentral-monitoring-rhel8@sha256:26a7fe83f3a34f02c2d0fdb0c67958166d79e47d264e7538e7c041c73af8406b_amd64",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-businesscentral-rhel8@sha256:b4804f253e75441ba011a85a38673f1499b11df42e7d63a5d850e2e7f99c4f63_amd64",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-controller-rhel8@sha256:b6344cd0cfa033dca638dffa1d6f05b1b44c49cec805a4bead4bb31e967152e7_amd64",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-dashbuilder-rhel8@sha256:47dacb456c1349638195e8d1a13224f63c1675199fc819803b50b617b9442c60_amd64",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-kieserver-rhel8@sha256:1b23a90b54af8f3d61cd9b1cad05cf30f0225af6d8cf1f833e21b0630623070a_amd64",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-operator-bundle@sha256:b005ca81fb10121bed0422266e415164d58fc48d85e1fe5b4d36a3a222c249f1_amd64",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-process-migration-rhel8@sha256:3c56a1235f0a61744b38b4b579b91b179ba07ae001ead41c64579bd9fd1b4f9c_amd64",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-rhel8-operator@sha256:add1edfb633e14a4d23794b80ca0d3f96720d33e11c132580d7b58bf29f9a167_amd64",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-smartrouter-rhel8@sha256:63fad8909d38e5f5e5bdb539f025bd95f1d2ec7cc6b6ee5e9b48e36036d19484_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 8.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L",
            "version": "3.1"
          },
          "products": [
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-businesscentral-monitoring-rhel8@sha256:26a7fe83f3a34f02c2d0fdb0c67958166d79e47d264e7538e7c041c73af8406b_amd64",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-businesscentral-rhel8@sha256:b4804f253e75441ba011a85a38673f1499b11df42e7d63a5d850e2e7f99c4f63_amd64",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-controller-rhel8@sha256:b6344cd0cfa033dca638dffa1d6f05b1b44c49cec805a4bead4bb31e967152e7_amd64",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-dashbuilder-rhel8@sha256:47dacb456c1349638195e8d1a13224f63c1675199fc819803b50b617b9442c60_amd64",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-kieserver-rhel8@sha256:1b23a90b54af8f3d61cd9b1cad05cf30f0225af6d8cf1f833e21b0630623070a_amd64",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-operator-bundle@sha256:b005ca81fb10121bed0422266e415164d58fc48d85e1fe5b4d36a3a222c249f1_amd64",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-process-migration-rhel8@sha256:3c56a1235f0a61744b38b4b579b91b179ba07ae001ead41c64579bd9fd1b4f9c_amd64",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-rhel8-operator@sha256:add1edfb633e14a4d23794b80ca0d3f96720d33e11c132580d7b58bf29f9a167_amd64",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-smartrouter-rhel8@sha256:63fad8909d38e5f5e5bdb539f025bd95f1d2ec7cc6b6ee5e9b48e36036d19484_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "git: Git arbitrary file writes"
    }
  ]
}

CVE-2025-48385 (GCVE-0-2025-48385)

Vulnerability from cvelistv5

Published

2025-07-08 18:23

Modified

2025-07-08 18:38

Severity ?

8.6 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE

CWE-88 - Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
CWE-73 - External Control of File Name or Path

Summary

Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When cloning a repository Git knows to optionally fetch a bundle advertised by the remote server, which allows the server-side to offload parts of the clone to a CDN. The Git client does not perform sufficient validation of the advertised bundles, which allows the remote side to perform protocol injection. This protocol injection can cause the client to write the fetched bundle to a location controlled by the adversary. The fetched content is fully controlled by the server, which can in the worst case lead to arbitrary code execution. The use of bundle URIs is not enabled by default and can be controlled by the bundle.heuristic config option. Some cases of the vulnerability require that the adversary is in control of where a repository will be cloned to. This either requires social engineering or a recursive clone with submodules. These cases can thus be avoided by disabling recursive clones. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.

References

►

URL

	Vendor	Product	Version
	git	git	Version: < 2.43.7 Version: >= 2.44.0-rc0, < 2.44.4 Version: >= 2.45.0-rc0, < 2.45.4 Version: >= 2.46.0-rc0, < 2.46.4 Version: >= 2.47.0-rc0, < 2.47.3 Version: >= 2.48.0-rc0, < 2.48.2 Version: >= 2.49.0-rc0, < 2.49.1 Version: >= 2.50.0-rc0, < 2.50.1

CVE-2025-48384 (GCVE-0-2025-48384)

Vulnerability from cvelistv5

Published

2025-07-08 18:23

Modified

2025-07-08 18:35

Severity ?

8.0 (High) - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

CWE

CWE-436 - Interpretation Conflict
CWE-59 - Improper Link Resolution Before File Access ('Link Following')

Summary

Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When reading a config value, Git strips any trailing carriage return and line feed (CRLF). When writing a config entry, values with a trailing CR are not quoted, causing the CR to be lost when the config is later read. When initializing a submodule, if the submodule path contains a trailing CR, the altered path is read resulting in the submodule being checked out to an incorrect location. If a symlink exists that points the altered path to the submodule hooks directory, and the submodule contains an executable post-checkout hook, the script may be unintentionally executed after checkout. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.

References

►

URL

	Vendor	Product	Version
	git	git	Version: < 2.43.7 Version: >= 2.44.0-rc0, < 2.44.4 Version: >= 2.45.0-rc0, < 2.45.4 Version: >= 2.46.0-rc0, < 2.46.4 Version: >= 2.47.0-rc0, < 2.47.3 Version: >= 2.48.0-rc0, < 2.48.2 Version: >= 2.49.0-rc0, < 2.49.1 Version: >= 2.50.0-rc0, < 2.50.1

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

rhsa-2025:13276

Vulnerability from csaf_redhat

CVE-2025-48385 (GCVE-0-2025-48385)

Vulnerability from cvelistv5

CVE-2025-48384 (GCVE-0-2025-48384)

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature