CVE-2017-14867

Published: 9/28/2017 Last updated: 8/5/2024 Reserved: 9/28/2017

Git before 2.10.5, 2.11.x before 2.11.4, 2.12.x before 2.12.5, 2.13.x before 2.13.6, and 2.14.x before 2.14.2 uses unsafe Perl scripts to support subcommands such as cvsserver, which allows attackers to execute arbitrary OS commands via shell metacharacters in a module name. The vulnerable code is reachable via git-shell even without CVS support.

CNA assigner: mitre (8254265b-2729-46b6-b9e3-3dfca2d5bfca) Requested by: n/a

Opam packages affected (1)

conf-git

Products affected (0)

No product listed.

References (14)

https://bugs.debian.org/876854
http://www.openwall.com/lists/oss-security/2017/09/26/9
https://lists.debian.org/debian-security-announce/2017/msg00246.html
https://public-inbox.org/git/xmqqy3p29ekj.fsf@gitster.mtv.corp.google.com/T/#u
http://www.securitytracker.com/id/1039431
http://www.securityfocus.com/bid/101060
https://www.debian.org/security/2017/dsa-3984
http://www.openwall.com/lists/oss-security/2017/09/26/9
https://bugs.debian.org/876854
https://lists.debian.org/debian-security-announce/2017/msg00246.html
https://public-inbox.org/git/xmqqy3p29ekj.fsf@gitster.mtv.corp.google.com/T/#u
http://www.securitytracker.com/id/1039431
http://www.securityfocus.com/bid/101060
https://www.debian.org/security/2017/dsa-3984