Privilege escalation in Git

Published: 2017-06-06 | Updated: 2017-06-08
Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2017-8386
Exploitation vector Network
Public exploit N/A
Vulnerable software
Client/Desktop applications / Software for system administration

Vendor Git

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Privilege escalation


Risk: Low

CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-8386

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No


The vulnerability allows a remote authenticated attacker to gain elevated privileges on the target system.

The weakness exists due to an error when handling command-line options for the restricted set of git-shell commands. A remote attacker can use a repository name that starts with a - (dash) character to bypass git-shell restrictions and gain elevated privileges.

Successful exploitation of the vulnerability results in access to the system and information disclosure.


Update to version 2.13.0.

Vulnerable software versions

Git: 2.4 - 2.12.3

External links

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.