CVE-2017-14867
N/A
N/A
Summary
Git before 2.10.5, 2.11.x before 2.11.4, 2.12.x before 2.12.5, 2.13.x before 2.13.6, and 2.14.x before 2.14.2 uses unsafe Perl scripts to support subcommands such as cvsserver, which allows attackers to execute arbitrary OS commands via shell metacharacters in a module name. The vulnerable code is reachable via git-shell even without CVS support.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| n/a | n/a | n/a | affected |
Weaknesses
- n/a
ADP Enrichment
CVE Program Container
Additional References
- http://www.openwall.com/lists/oss-security/2017/09/26/9
- https://bugs.debian.org/876854
- https://lists.debian.org/debian-security-announce/2017/msg00246.html
- https://public-inbox.org/git/xmqqy3p29ekj.fsf%40gitster.mtv.corp.google.com/T/#u
- http://www.securitytracker.com/id/1039431
- http://www.securityfocus.com/bid/101060
- https://www.debian.org/security/2017/dsa-3984
References
- http://www.openwall.com/lists/oss-security/2017/09/26/9
- https://bugs.debian.org/876854
- https://lists.debian.org/debian-security-announce/2017/msg00246.html
- https://public-inbox.org/git/xmqqy3p29ekj.fsf%40gitster.mtv.corp.google.com/T/#u
- http://www.securitytracker.com/id/1039431
- http://www.securityfocus.com/bid/101060
- https://www.debian.org/security/2017/dsa-3984
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.