OS command injection in Git - CVE-2017-1000117
Published: August 15, 2017 / Updated: September 14, 2018
Vulnerability identifier: #VU7889
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber
CVE-ID: CVE-2017-1000117
CWE-ID: CWE-78
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vendor: Git
Affected software:
Git
Git
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The weakness exists due to command injection flaw. A remote attacker (e.g., repository) can return a specially crafted 'ssh://' URL during 'clone' commands to execute arbitrary shell commands with privileges of the current user.
Successful exploitation of the vulnerability may result in system compromise.
The weakness exists due to command injection flaw. A remote attacker (e.g., repository) can return a specially crafted 'ssh://' URL during 'clone' commands to execute arbitrary shell commands with privileges of the current user.
Successful exploitation of the vulnerability may result in system compromise.
How to mitigate CVE-2017-1000117
Update to version 2.14.1.