CVE-2017-17831
HIGH8.8EPSS 0.72%Arbitrary command execution in github.com/git-lfs/git-lfs
Published: 5/14/2022Modified: 6/3/2024
Description
Arbitrary command execution can be triggered by improperly sanitized SSH URLs in LFS configuration files. This can be triggered by cloning a malicious repository.
Affected packages (2)
- Go/github.com/git-lfs/git-lfsfrom 0, < 2.1.1-0.20170519163204-f913f5f9c7c6
- Go/github.com/git-lfs/git-lfsfrom 0, < 2.1.1-0.20170519163204-f913f5f9c7c6+incompatible
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
References (11)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2017-17831
- PATCHhttps://github.com/git-lfs/git-lfs
- WEBhttp://blog.recurity-labs.com/2017-08-10/scm-vulns
- WEBhttps://confluence.atlassian.com/sourcetreekb/sourcetree-security-advisory-2018-01-24-942834324.html
- WEBhttps://github.com/git-lfs/git-lfs/commit/f913f5f9c7c6d1301785fdf9884a2942d59cdf19
- WEBhttps://github.com/git-lfs/git-lfs/pull/2241
- WEBhttps://github.com/git-lfs/git-lfs/pull/2242
- WEBhttps://github.com/git-lfs/git-lfs/releases/tag/v2.1.1
- WEBhttps://pkg.go.dev/vuln/GO-2021-0073
- WEBhttps://web.archive.org/web/20200227131639/http://www.securityfocus.com/bid/102926
- WEBhttp://www.securityfocus.com/bid/102926