CVE-2017-14867: OS Command Injection
First published: Tue Sep 26 2017(Updated: )
Git before 2.10.5, 2.11.x before 2.11.4, 2.12.x before 2.12.5, 2.13.x before 2.13.6, and 2.14.x before 2.14.2 uses unsafe Perl scripts to support subcommands such as cvsserver, which allows attackers to execute arbitrary OS commands via shell metacharacters in a module name. The vulnerable code is reachable via git-shell even without CVS support.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/git | 1:2.20.1-2+deb10u3 1:2.20.1-2+deb10u8 1:2.30.2-1+deb11u2 1:2.39.2-1.1 1:2.42.0-1 | |
| Git-scm Git | <=2.10.4 | |
| Git-scm Git | =2.11.0 | |
| Git-scm Git | =2.11.1 | |
| Git-scm Git | =2.11.2 | |
| Git-scm Git | =2.11.3 | |
| Git-scm Git | =2.12.0 | |
| Git-scm Git | =2.12.1 | |
| Git-scm Git | =2.12.2 | |
| Git-scm Git | =2.12.3 | |
| Git-scm Git | =2.12.4 | |
| Git-scm Git | =2.13.0 | |
| Git-scm Git | =2.13.1 | |
| Git-scm Git | =2.13.2 | |
| Git-scm Git | =2.13.3 | |
| Git-scm Git | =2.13.4 | |
| Git-scm Git | =2.13.5 | |
| Git-scm Git | =2.14.0 | |
| Git-scm Git | =2.14.1 | |
| Debian Debian Linux | =8.0 | |
| Debian Debian Linux | =9.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.openwall.com/lists/oss-security/2017/09/26/9
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876854
- https://www.openwall.com/lists/oss-security/2017/09/26/9
- https://public-inbox.org/git/xmqqy3p29ekj.fsf@gitster.mtv.corp.google.com/T/#u
- https://security-tracker.debian.org/tracker/CVE-2017-14867
- http://www.securityfocus.com/bid/101060
- http://www.securitytracker.com/id/1039431
- https://bugs.debian.org/876854
- https://lists.debian.org/debian-security-announce/2017/msg00246.html
- https://www.debian.org/security/2017/dsa-3984
- collector/debian-bugs
- alias/CVE-2017-14867
- collector/security-tracker-debian
- collector/nvd-index
- package-manager/debian
- vendor/git-scm
- canonical/git-scm git
- version/git-scm git/2.10.4
- version/git-scm git/2.11.0
- version/git-scm git/2.11.1
- version/git-scm git/2.11.2
- version/git-scm git/2.11.3
- version/git-scm git/2.12.0
- version/git-scm git/2.12.1
- version/git-scm git/2.12.2
- version/git-scm git/2.12.3
- version/git-scm git/2.12.4
- version/git-scm git/2.13.0
- version/git-scm git/2.13.1
- version/git-scm git/2.13.2
- version/git-scm git/2.13.3
- version/git-scm git/2.13.4
- version/git-scm git/2.13.5
- version/git-scm git/2.14.0
- version/git-scm git/2.14.1
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/8.0
- version/debian debian linux/9.0