CVE-2017-14867: OS Command Injection
First published: Tue Sep 26 2017(Updated: )
Git before 2.10.5, 2.11.x before 2.11.4, 2.12.x before 2.12.5, 2.13.x before 2.13.6, and 2.14.x before 2.14.2 uses unsafe Perl scripts to support subcommands such as cvsserver, which allows attackers to execute arbitrary OS commands via shell metacharacters in a module name. The vulnerable code is reachable via git-shell even without CVS support.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/git | 1:2.20.1-2+deb10u3 1:2.20.1-2+deb10u8 1:2.30.2-1+deb11u2 1:2.39.2-1.1 1:2.42.0-1 | |
| Git Git-shell | <=2.10.4 | |
| Git Git-shell | =2.11.0 | |
| Git Git-shell | =2.11.1 | |
| Git Git-shell | =2.11.2 | |
| Git Git-shell | =2.11.3 | |
| Git Git-shell | =2.12.0 | |
| Git Git-shell | =2.12.1 | |
| Git Git-shell | =2.12.2 | |
| Git Git-shell | =2.12.3 | |
| Git Git-shell | =2.12.4 | |
| Git Git-shell | =2.13.0 | |
| Git Git-shell | =2.13.1 | |
| Git Git-shell | =2.13.2 | |
| Git Git-shell | =2.13.3 | |
| Git Git-shell | =2.13.4 | |
| Git Git-shell | =2.13.5 | |
| Git Git-shell | =2.14.0 | |
| Git Git-shell | =2.14.1 | |
| Debian | =8.0 | |
| Debian | =9.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.openwall.com/lists/oss-security/2017/09/26/9
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876854
- http://www.securityfocus.com/bid/101060
- http://www.securitytracker.com/id/1039431
- https://bugs.debian.org/876854
- https://lists.debian.org/debian-security-announce/2017/msg00246.html
- https://public-inbox.org/git/xmqqy3p29ekj.fsf@gitster.mtv.corp.google.com/T/#u
- https://www.debian.org/security/2017/dsa-3984
- https://www.openwall.com/lists/oss-security/2017/09/26/9
- https://security-tracker.debian.org/tracker/CVE-2017-14867
Frequently Asked Questions
What is the severity of CVE-2017-14867?
CVE-2017-14867 has a high severity rating due to the potential for arbitrary OS command execution.
How do I fix CVE-2017-14867?
To fix CVE-2017-14867, upgrade Git to version 2.10.5 or later.
What versions of Git are affected by CVE-2017-14867?
CVE-2017-14867 affects Git versions before 2.10.5, 2.11.x before 2.11.4, 2.12.x before 2.12.5, 2.13.x before 2.13.6, and 2.14.x before 2.14.2.
Can CVE-2017-14867 be exploited remotely?
Yes, CVE-2017-14867 can potentially be exploited remotely if an attacker has access to input the module name.
What should I do if I'm using an affected version of Git and cannot upgrade immediately for CVE-2017-14867?
If you cannot upgrade immediately, limit the use of vulnerable subcommands and monitor logs for unusual activity as a temporary measure.
- collector/debian-bugs
- alias/CVE-2017-14867
- collector/security-tracker-debian
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- agent/references
- agent/weakness
- agent/severity
- agent/author
- agent/description
- agent/event
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/debian
- vendor/git-scm
- canonical/git git-shell
- version/git git-shell/2.10.4
- version/git git-shell/2.11.0
- version/git git-shell/2.11.1
- version/git git-shell/2.11.2
- version/git git-shell/2.11.3
- version/git git-shell/2.12.0
- version/git git-shell/2.12.1
- version/git git-shell/2.12.2
- version/git git-shell/2.12.3
- version/git git-shell/2.12.4
- version/git git-shell/2.13.0
- version/git git-shell/2.13.1
- version/git git-shell/2.13.2
- version/git git-shell/2.13.3
- version/git git-shell/2.13.4
- version/git git-shell/2.13.5
- version/git git-shell/2.14.0
- version/git git-shell/2.14.1
- vendor/debian
- canonical/debian
- version/debian/8.0
- version/debian/9.0