The Git Project announced a critical arbitrary code execution vulnerability in the Git command line client, Git Desktop, and Atom. The vulnerability has been assigned the CVE-2018-17456 ID and is similar to a previous option injection vulnerability. A malicious repository can create a.gitmodules file that contains an URL that starts with a dash. If the URL field is set to a string that begins with a. dash, this “git clone”” subprocess interprets the URL as an option. This can lead to executing an arbitrary script shipped in the superproject as the user who ran “”git. clone”””
Source: https://www.bleepingcomputer.com/news/security/git-project-patches-remote-code-execution-vulnerability-in-git/