CVE-2017-15298
Severity CVSS v4.0:
Pending analysis
Type:
CWE-400
Uncontrolled Resource Consumption ('Resource Exhaustion')
Publication date:
14/10/2017
Last modified:
20/04/2025
Description
Git through 2.14.2 mishandles layers of tree objects, which allows remote attackers to cause a denial of service (memory consumption) via a crafted repository, aka a Git bomb. This can also have an impact of disk consumption; however, an affected process typically would not survive its attempt to build the data structure in memory before writing to disk.
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Base Score 2.0
4.30
Severity 2.0
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:* | 2.14.2 (including) | |
| cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:* | ||
| cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:* | ||
| cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:* | ||
| cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.html
- https://github.com/Katee/git-bomb
- https://kate.io/blog/git-bomb/
- https://usn.ubuntu.com/3829-1/
- http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.html
- https://github.com/Katee/git-bomb
- https://kate.io/blog/git-bomb/
- https://usn.ubuntu.com/3829-1/