#VU7889 OS command injection in Git - CVE-2017-1000117
Published: August 15, 2017 / Updated: September 14, 2018
Vulnerability identifier: #VU7889
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber
CVE-ID: CVE-2017-1000117
CWE-ID: CWE-78
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vulnerable software:
Git
Git
Software vendor:
Git
Git
Description
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The weakness exists due to command injection flaw. A remote attacker (e.g., repository) can return a specially crafted 'ssh://' URL during 'clone' commands to execute arbitrary shell commands with privileges of the current user.
Successful exploitation of the vulnerability may result in system compromise.
The weakness exists due to command injection flaw. A remote attacker (e.g., repository) can return a specially crafted 'ssh://' URL during 'clone' commands to execute arbitrary shell commands with privileges of the current user.
Successful exploitation of the vulnerability may result in system compromise.
Remediation
Update to version 2.14.1.