CVE-2017-1000117
published 2017-10-05CVE-2017-1000117: A malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL can result in any program that exists on…
PriorityP274high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
77.82%
99.5th percentile
A malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL can result in any program that exists on the victim's machine being executed. Such a URL could be placed in the .gitmodules file of a malicious project, and an unsuspecting victim could be tricked into running "git clone --recurse-submodules" to trigger the vulnerability.
Affected
71 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | xcode_9 | — | — |
| atlassian | bitbucket | < 5.4.1 | 5.4.1 |
| atlassian | bitbucket | >= 5.1.0 < 5.1.7 | 5.1.7 |
| atlassian | bitbucket | >= 5.2.0 < 5.2.5 | 5.2.5 |
| atlassian | bitbucket | >= 5.3.0 < 5.3.3 | 5.3.3 |
| atlassian | bitbucket_server | — | — |
| atlassian | bitbucket_server | — | — |
| atlassian | bitbucket_server | — | — |
| atlassian | bitbucket_server | — | — |
| canonical | bazaar | <= 2.7.0 | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | breezy | < breezy 3.0.0~bzr6772-1 (bookworm) | breezy 3.0.0~bzr6772-1 (bookworm) |
| debian | bzr | < breezy 3.0.0~bzr6772-1 (bookworm) | breezy 3.0.0~bzr6772-1 (bookworm) |
| debian | bzr | 0 – 2.7.0 | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | dulwich | < dulwich 0.18.5-1 (bookworm) | dulwich 0.18.5-1 (bookworm) |
| debian | fossil | < fossil 1:2.4-1 (bookworm) | fossil 1:2.4-1 (bookworm) |
| debian | git | < git 1:2.14.1-1 (bookworm) | git 1:2.14.1-1 (bookworm) |
| debian | git-annex | < git-annex 6.20170818-1 (bookworm) | git-annex 6.20170818-1 (bookworm) |
| dulwich_project | dulwich | <= 0.18.4 | — |
| dulwich_project | dulwich | >= 0 < 0.18.5-1 | 0.18.5-1 |
| dulwich_project | dulwich | >= 0 < 0.18.5-1 | 0.18.5-1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect git clone or submodule init operations referencing ssh:// URLs where the hostname begins with a dash character (e.g., ssh://-o... or ssh://-e...), which is the core exploitation pattern for CVE-2017-1000117. ↗
- →Inspect .gitmodules files in cloned repositories for submodule URLs beginning with 'ssh://-' — particularly patterns like ssh://-oProxyCommand= or ssh://-eProxyCommand= which abuse SSH option injection. ↗
- →Monitor HTTP servers serving fake git repositories: look for User-Agent strings matching 'git/*' fetching paths under a *.git URI, followed by requests for /objects/ paths and /HEAD or /info/refs — indicative of the Metasploit exploit module's malicious git HTTP server. ↗
- →Alert on git submodule initialisation (git submodule init / git submodule update) where the resolved remote URL contains an initial dash in the hostname portion of an ssh:// scheme, as this triggers arbitrary OS command execution. ↗
- →The same ssh://-<option> hostname injection pattern applies to related tools (Bazaar bzr+ssh, git-annex); broaden detection to cover bzr+ssh:// and annex remote URLs with leading-dash hostnames. ↗
- ·The exploit targets Git version 2.7.5 and lower; versions above this threshold are not affected by CVE-2017-1000117 and detections should be scoped accordingly. ↗
- ·The Metasploit module uses a randomly generated URI path for the malicious git repository (random alpha string + '.git') and a randomly generated submodule path, so static URI-based signatures will have limited coverage; behavioural detection on .gitmodules content is more reliable. ↗
- ·The payload is URL-hex-encoded (Rex::Text.to_hex with '%') before being embedded in the ssh:// URL, so plain-text command string matching in .gitmodules will miss encoded payloads; decode percent-encoded hostnames before matching. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
ghsa9.8CRITICAL
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
python-dulwich: Setting SSH arguments from untrusted URLs allows code execution
vendor_redhat·2017-10-29·CVSS 9.8
CVE-2017-16228 [CRITICAL] CWE-20 python-dulwich: Setting SSH arguments from untrusted URLs allows code execution
python-dulwich: Setting SSH arguments from untrusted URLs allows code execution
Dulwich before 0.18.5, when an SSH subprocess is used, allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-1000116, and CVE-2017-1000117.
Package: python-dulwich (Red Hat OpenStack Platform 11 (Ocata)) - Will not fix
Apple
CVE-2017-7136: Xcode 9
vendor_apple·2017-09-19·CVSS 8.8
CVE-2017-7136 [HIGH] CVE-2017-7136: Xcode 9
Apple Security Update: About the security content of Xcode 9
Product: Xcode 9
CVE: CVE-2017-7136
Component: CVE-2017-1000117
Impact: Parsing a maliciously crafted Mach-O file may lead to arbitrary code execution
Description: Multiple memory corruption issues were addressed with improved memory handling.
Apple
CVE-2017-1000117: Xcode 9
vendor_apple·2017-09-19·CVSS 8.8
CVE-2017-1000117 [HIGH] CVE-2017-1000117: Xcode 9
Apple Security Update: About the security content of Xcode 9
Product: Xcode 9
CVE: CVE-2017-1000117
Component: CVE-2017-1000117
Impact: Parsing a maliciously crafted Mach-O file may lead to arbitrary code execution
Description: Multiple memory corruption issues were addressed with improved memory handling.
Apple
CVE-2017-7076: Xcode 9
vendor_apple·2017-09-19·CVSS 8.8
CVE-2017-7076 [HIGH] CVE-2017-7076: Xcode 9
Apple Security Update: About the security content of Xcode 9
Product: Xcode 9
CVE: CVE-2017-7076
Component: CVE-2017-1000117
Impact: Parsing a maliciously crafted Mach-O file may lead to arbitrary code execution
Description: Multiple memory corruption issues were addressed with improved memory handling.
Apple
CVE-2017-7135: Xcode 9
vendor_apple·2017-09-19·CVSS 8.8
CVE-2017-7135 [HIGH] CVE-2017-7135: Xcode 9
Apple Security Update: About the security content of Xcode 9
Product: Xcode 9
CVE: CVE-2017-7135
Component: CVE-2017-1000117
Impact: Parsing a maliciously crafted Mach-O file may lead to arbitrary code execution
Description: Multiple memory corruption issues were addressed with improved memory handling.
Apple
CVE-2017-7134: Xcode 9
vendor_apple·2017-09-19·CVSS 8.8
CVE-2017-7134 [HIGH] CVE-2017-7134: Xcode 9
Apple Security Update: About the security content of Xcode 9
Product: Xcode 9
CVE: CVE-2017-7134
Component: CVE-2017-1000117
Impact: Parsing a maliciously crafted Mach-O file may lead to arbitrary code execution
Description: Multiple memory corruption issues were addressed with improved memory handling.
Apple
CVE-2017-7137: Xcode 9
vendor_apple·2017-09-19·CVSS 8.8
CVE-2017-7137 [HIGH] CVE-2017-7137: Xcode 9
Apple Security Update: About the security content of Xcode 9
Product: Xcode 9
CVE: CVE-2017-7137
Component: CVE-2017-1000117
Impact: Parsing a maliciously crafted Mach-O file may lead to arbitrary code execution
Description: Multiple memory corruption issues were addressed with improved memory handling.
Red Hat
bzr: does not strip bzr+ssh SSH options
vendor_redhat·2017-08-26·CVSS 9.8
CVE-2017-14176 [CRITICAL] CWE-77 bzr: does not strip bzr+ssh SSH options
bzr: does not strip bzr+ssh SSH options
Bazaar through 2.7.0, when Subprocess SSH is used, allows remote attackers to execute arbitrary commands via a bzr+ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-16228, CVE-2017-1000116, and CVE-2017-1000117.
Statement: Red Hat Product Security has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Package: bzr (Red Hat Enterprise Linux 6) - Will not fix
Package: bzr (Red Hat Enterprise Linux 7) - Will not fix
Ubuntu
Git vulnerability
vendor_ubuntu·2017-08-11
CVE-2017-1000117 Git vulnerability
Title: Git vulnerability
Summary: Git could be made run programs as your login if it opened a specially
crafted git repository.
Brian Neel, Joern Schneeweisz, and Jeff King discovered that Git did
not properly handle host names in 'ssh://' URLs. A remote attacker
could use this to construct a git repository that when accessed could
run arbitrary code with the privileges of the user.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
git: Command injection via malicious ssh URLs
vendor_redhat·2017-08-10·CVSS 8.8
CVE-2017-1000117 [HIGH] CWE-20 git: Command injection via malicious ssh URLs
git: Command injection via malicious ssh URLs
A malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL can result in any program that exists on the victim's machine being executed. Such a URL could be placed in the .gitmodules file of a malicious project, and an unsuspecting victim could be tricked into running "git clone --recurse-submodules" to trigger the vulnerability.
A shell command injection flaw related to the handling of "ssh" URLs has been discovered in Git. An attacker could use this flaw to execute shell commands with the privileges of the user running the Git client, for example, when performing a "clone" action on a malicious repository or a legitimate repository containing a malicious commit.
Package: jgit (Red
Debian
CVE-2017-16228: dulwich - Dulwich before 0.18.5, when an SSH subprocess is used, allows remote attackers t...
vendor_debian·2017·CVSS 9.8
CVE-2017-16228 [CRITICAL] CVE-2017-16228: dulwich - Dulwich before 0.18.5, when an SSH subprocess is used, allows remote attackers t...
Dulwich before 0.18.5, when an SSH subprocess is used, allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-1000116, and CVE-2017-1000117.
Scope: local
bookworm: resolved (fixed in 0.18.5-1)
bullseye: resolved (fixed in 0.18.5-1)
forky: resolved (fixed in 0.18.5-1)
sid: resolved (fixed in 0.18.5-1)
trixie: resolved (fixed in 0.18.5-1)
Debian
CVE-2017-14176: breezy - Bazaar through 2.7.0, when Subprocess SSH is used, allows remote attackers to ex...
vendor_debian·2017·CVSS 9.8
CVE-2017-14176 [CRITICAL] CVE-2017-14176: breezy - Bazaar through 2.7.0, when Subprocess SSH is used, allows remote attackers to ex...
Bazaar through 2.7.0, when Subprocess SSH is used, allows remote attackers to execute arbitrary commands via a bzr+ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-16228, CVE-2017-1000116, and CVE-2017-1000117.
Scope: local
bookworm: resolved (fixed in 3.0.0~bzr6772-1)
bullseye: resolved (fixed in 3.0.0~bzr6772-1)
forky: resolved (fixed in 3.0.0~bzr6772-1)
sid: resolved (fixed in 3.0.0~bzr6772-1)
trixie: resolved (fixed in 3.0.0~bzr6772-1)
Debian
CVE-2017-17459: fossil - http_transport.c in Fossil before 2.4, when the SSH sync protocol is used, allow...
vendor_debian·2017·CVSS 9.8
CVE-2017-17459 [CRITICAL] CVE-2017-17459: fossil - http_transport.c in Fossil before 2.4, when the SSH sync protocol is used, allow...
http_transport.c in Fossil before 2.4, when the SSH sync protocol is used, allows user-assisted remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-14176, CVE-2017-16228, CVE-2017-1000116, and CVE-2017-1000117.
Scope: local
bookworm: resolved (fixed in 1:2.4-1)
bullseye: resolved (fixed in 1:2.4-1)
sid: resolved (fixed in 1:2.4-1)
trixie: resolved (fixed in 1:2.4-1)
Debian
CVE-2017-12976: git-annex - git-annex before 6.20170818 allows remote attackers to execute arbitrary command...
vendor_debian·2017·CVSS 9.8
CVE-2017-12976 [CRITICAL] CVE-2017-12976: git-annex - git-annex before 6.20170818 allows remote attackers to execute arbitrary command...
git-annex before 6.20170818 allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, as demonstrated by an ssh://-eProxyCommand= URL, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-1000116, and CVE-2017-1000117.
Scope: local
bookworm: resolved (fixed in 6.20170818-1)
bullseye: resolved (fixed in 6.20170818-1)
forky: resolved (fixed in 6.20170818-1)
sid: resolved (fixed in 6.20170818-1)
trixie: resolved (fixed in 6.20170818-1)
Debian
CVE-2017-1000117: git - A malicious third-party can give a crafted "ssh://..." URL to an unsuspecting vi...
vendor_debian·2017·CVSS 8.8
CVE-2017-1000117 [HIGH] CVE-2017-1000117: git - A malicious third-party can give a crafted "ssh://..." URL to an unsuspecting vi...
A malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL can result in any program that exists on the victim's machine being executed. Such a URL could be placed in the .gitmodules file of a malicious project, and an unsuspecting victim could be tricked into running "git clone --recurse-submodules" to trigger the vulnerability.
Scope: local
bookworm: resolved (fixed in 1:2.14.1-1)
bullseye: resolved (fixed in 1:2.14.1-1)
forky: resolved (fixed in 1:2.14.1-1)
sid: resolved (fixed in 1:2.14.1-1)
trixie: resolved (fixed in 1:2.14.1-1)
OSV
git-annex command injection via malicious SSH hostname
osv·2025-11-14·CVSS 8.8
CVE-2017-12976 [HIGH] git-annex command injection via malicious SSH hostname
git-annex command injection via malicious SSH hostname
# *git-annex* command injection via malicious SSH hostname
*git-annex* was vulnerable to the same class of security hole as
git's **CVE-2017-1000117**. In several cases, `git-annex` parses a
repository URL, and uses it to generate a `ssh` command, with the
hostname to ssh to coming from the URL. If the hostname it parses is
something like `-eProxyCommand=evil`, this could result in arbitrary
local code execution.
Some details of URL parsing may prevent the exploit working in some
cases.
Exploiting this would involve the attacker tricking the victim into
adding a remote something like `ssh://-eProxyCommand=evil/blah`.
One possible avenue for an attacker that avoids exposing the URL to
the user is to use `initremote` with an SSH rem
GHSA
GHSA-jqcx-qqvc-9wx5: git-annex before 6
ghsa_unreviewed·2022-05-14·CVSS 9.8
CVE-2017-12976 [CRITICAL] CWE-20 GHSA-jqcx-qqvc-9wx5: git-annex before 6
git-annex before 6.20170818 allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, as demonstrated by an ssh://-eProxyCommand= URL, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-1000116, and CVE-2017-1000117.
GHSA
GHSA-jjxg-hpm7-g95f: Bazaar through 2
ghsa_unreviewed·2022-05-13·CVSS 9.8
CVE-2017-14176 [CRITICAL] GHSA-jjxg-hpm7-g95f: Bazaar through 2
Bazaar through 2.7.0, when Subprocess SSH is used, allows remote attackers to execute arbitrary commands via a bzr+ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-16228, CVE-2017-1000116, and CVE-2017-1000117.
GHSA
GHSA-ff3p-f5xw-q723: http_transport
ghsa_unreviewed·2022-05-13·CVSS 9.8
CVE-2017-17459 [CRITICAL] GHSA-ff3p-f5xw-q723: http_transport
http_transport.c in Fossil before 2.4, when the SSH sync protocol is used, allows user-assisted remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-14176, CVE-2017-16228, CVE-2017-1000116, and CVE-2017-1000117.
GHSA
GHSA-q5x8-47cx-6m4p: A malicious third-party can give a crafted "ssh://
ghsa_unreviewed·2022-05-13
CVE-2017-1000117 [HIGH] CWE-601 GHSA-q5x8-47cx-6m4p: A malicious third-party can give a crafted "ssh://
A malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL can result in any program that exists on the victim's machine being executed. Such a URL could be placed in the .gitmodules file of a malicious project, and an unsuspecting victim could be tricked into running "git clone --recurse-submodules" to trigger the vulnerability.
OSV
Dulwich RCE Vulnerability
osv·2022-05-13·CVSS 9.8
CVE-2017-16228 [CRITICAL] Dulwich RCE Vulnerability
Dulwich RCE Vulnerability
Dulwich before 0.18.5, when an SSH subprocess is used, allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-1000116, and CVE-2017-1000117.
GHSA
Dulwich RCE Vulnerability
ghsa·2022-05-13·CVSS 9.8
CVE-2017-16228 [CRITICAL] Dulwich RCE Vulnerability
Dulwich RCE Vulnerability
Dulwich before 0.18.5, when an SSH subprocess is used, allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-1000116, and CVE-2017-1000117.
GHSA
Bazaar allows remote attackers to execute arbitrary commands via a bzr+ssh URL with initial dash character in hostname
ghsa·2022-05-13·CVSS 9.8
CVE-2017-14176 [CRITICAL] Bazaar allows remote attackers to execute arbitrary commands via a bzr+ssh URL with initial dash character in hostname
Bazaar allows remote attackers to execute arbitrary commands via a bzr+ssh URL with initial dash character in hostname
Bazaar through 2.7.0, when Subprocess SSH is used, allows remote attackers to execute arbitrary commands via a bzr+ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-16228, CVE-2017-1000116, and CVE-2017-1000117.
GHSA
GHSA-c5mx-vvj3-c6pv: The download commit resource in Atlassian Bitbucket Server from version 5
ghsa_unreviewed·2022-05-13·CVSS 8.8
CVE-2017-18087 [HIGH] GHSA-c5mx-vvj3-c6pv: The download commit resource in Atlassian Bitbucket Server from version 5
The download commit resource in Atlassian Bitbucket Server from version 5.1.0 before version 5.1.7, from version 5.2.0 before version 5.2.5, from version 5.3.0 before version 5.3.3 and from version 5.4.0 before version 5.4.1 allows remote attackers to write files to disk potentially allowing them to gain code execution, exploit CVE-2017-1000117 if a vulnerable version of git is in use, and or determine if an internal service exists via an argument injection vulnerability in the at parameter.
OSV
CVE-2017-17459: http_transport
osv·2017-12-07·CVSS 9.8
CVE-2017-17459 [CRITICAL] CVE-2017-17459: http_transport
http_transport.c in Fossil before 2.4, when the SSH sync protocol is used, allows user-assisted remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-14176, CVE-2017-16228, CVE-2017-1000116, and CVE-2017-1000117.
OSV
CVE-2017-14176: Bazaar through 2
osv·2017-11-27·CVSS 9.8
CVE-2017-14176 [CRITICAL] CVE-2017-14176: Bazaar through 2
Bazaar through 2.7.0, when Subprocess SSH is used, allows remote attackers to execute arbitrary commands via a bzr+ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-16228, CVE-2017-1000116, and CVE-2017-1000117.
OSV
CVE-2017-16228: Dulwich before 0
osv·2017-10-29·CVSS 9.8
CVE-2017-16228 [CRITICAL] CVE-2017-16228: Dulwich before 0
Dulwich before 0.18.5, when an SSH subprocess is used, allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-1000116, and CVE-2017-1000117.
OSV
CVE-2017-1000117: A malicious third-party can give a crafted "ssh://
osv·2017-10-05·CVSS 8.8
CVE-2017-1000117 [HIGH] CVE-2017-1000117: A malicious third-party can give a crafted "ssh://
A malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL can result in any program that exists on the victim's machine being executed. Such a URL could be placed in the .gitmodules file of a malicious project, and an unsuspecting victim could be tricked into running "git clone --recurse-submodules" to trigger the vulnerability.
OSV
CVE-2017-12976: git-annex before 6
osv·2017-08-20·CVSS 9.8
CVE-2017-12976 [CRITICAL] CVE-2017-12976: git-annex before 6
git-annex before 6.20170818 allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, as demonstrated by an ssh://-eProxyCommand= URL, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-1000116, and CVE-2017-1000117.
No detection rules found.
Exploit-DB
Git < 2.7.5 - Command Injection (Metasploit)
exploitdb·2017-08-31·CVSS 8.8
CVE-2017-1000117 [HIGH] Git < 2.7.5 - Command Injection (Metasploit)
Git 'Malicious Git HTTP Server For CVE-2017-1000117',
'Description' => %q(
This module exploits CVE-2017-1000117, which affects Git
version 2.7.5 and lower. A submodule of the form 'ssh://' can be passed
parameters from the username incorrectly. This can be used to inject
commands to the operating system when the submodule is cloned.
This module creates a fake git repository which contains a submodule
containing the vulnerability. The vulnerability is triggered when the
submodules are initialised.
),
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2017-1000117'],
['URL', 'http://seclists.org/oss-sec/2017/q3/280' ]
],
'DisclosureDate' => 'Aug 10 2017',
'Targets' =>
[
[
'Automatic',
{
'Platform' => [ 'unix' ],
'Arch' => ARCH_CMD,
'Payload' =>
{
'Compat' =>
{
'PayloadType' => 'python'
}
Metasploit
Malicious Git HTTP Server For CVE-2017-1000117
metasploit·CVSS 8.8
CVE-2017-1000117 [HIGH] Malicious Git HTTP Server For CVE-2017-1000117
Malicious Git HTTP Server For CVE-2017-1000117
This module exploits CVE-2017-1000117, which affects Git version 2.7.5 and lower. A submodule of the form 'ssh://' can be passed parameters from the username incorrectly. This can be used to inject commands to the operating system when the submodule is cloned. This module creates a fake git repository which contains a submodule containing the vulnerability. The vulnerability is triggered when the submodules are initialised.
Bugzilla
CVE-2017-16228 python-dulwich: Setting SSH arguments from untrusted URLs allows code execution
bugzilla·2017-11-03·CVSS 9.8
CVE-2017-16228 [CRITICAL] CVE-2017-16228 python-dulwich: Setting SSH arguments from untrusted URLs allows code execution
CVE-2017-16228 python-dulwich: Setting SSH arguments from untrusted URLs allows code execution
Dulwich before 0.18.5, when an SSH subprocess is used, allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-1000116, and CVE-2017-1000117.
Upstream patch:
https://www.dulwich.io/code/dulwich/commit/7116a0cbbda571f7dac863f4b1c00b6e16d6d8d6/
Discussion:
Created python-dulwich tracking bugs for this issue:
Affects: epel-all [bug 1509304]
Affects: fedora-all [bug 1509305]
---
OpenStack reno is the package that requires python-dulwich. However, it does not use the vulnerable function within python-dulwich. The functionality used by reno is for manipulating
HackerOne
RCE via ssh:// URIs in multiple VCS
hackerone·2017-09-21·CVSS 9.8
CVE-2017-9800 [CRITICAL] RCE via ssh:// URIs in multiple VCS
RCE via ssh:// URIs in multiple VCS
I'd like to submit an RCE issue within Git SVN and Mercurial, the CVEs are:
* CVE-2017-9800 (Subversion)
* CVE-2017-1000116 (Mercurial (hg))
* CVE-2017-1000117 (Git)
Further Info can be found at:
http://blog.recurity-labs.com/2017-08-10/scm-vulns
And product specific:
* https://public-inbox.org/git/[email protected]/T/#u
* http://subversion.apache.org/security/CVE-2017-9800-advisory.txt
* https://about.gitlab.com/2017/08/10/gitlab-9-dot-4-dot-4-released/
I think these issues which all are based on the same flaw could be worth
an IBB Bounty. However I'd like to point out that we at Recurity Labs
would like the bounty being donated to a charity. The to be determined
charity will be something in the field of brain aneurysm,
Bugzilla
CVE-2017-12976 git-annex: RCE via ssh URL with an initial dash character in the hostname
bugzilla·2017-08-24·CVSS 9.8
CVE-2017-12976 [CRITICAL] CVE-2017-12976 git-annex: RCE via ssh URL with an initial dash character in the hostname
CVE-2017-12976 git-annex: RCE via ssh URL with an initial dash character in the hostname
git-annex before 6.20170818 allows remote attackers to execute
arbitrary commands via an ssh URL with an initial dash character in the
hostname, as demonstrated by an ssh://-eProxyCommand= URL, a related
issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-1000116, and
CVE-2017-1000117.
Upstream patch:
http://source.git-annex.branchable.com/?p=source.git;a=commit;h=df11e54788b254efebb4898b474de11ae8d3b471
Discussion:
Created git-annex tracking bugs for this issue:
Affects: epel-all [bug 1484822]
Affects: fedora-all [bug 1484821]
---
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the d
Bugzilla
CVE-2017-1000117 git: Command injection via malicious ssh URLs
bugzilla·2017-08-10·CVSS 8.8
CVE-2017-1000117 [HIGH] CVE-2017-1000117 git: Command injection via malicious ssh URLs
CVE-2017-1000117 git: Command injection via malicious ssh URLs
A flaw was found in the way the Git client handles "ssh://" URLs. A maliciously crafted "ssh://" URL would cause Git clients to run an arbitrary shell command. Such a URL could be generated by a malicious server, by a malicious users committing to an honest server (to attack another user of that server's repositories), or by a proxy server.
Discussion:
External References:
https://lkml.org/lkml/2017/8/10/757
http://blog.recurity-labs.com/2017-08-10/scm-vulns
---
Updates for Fedora 25 and 26 were pushed while this bug was being created. I don't see any Fedora tracker bugs. For Fedora users who search by the CVE and want to find the updates for testing, here are the links:
https://bodhi.fedoraproject.org/updates/FEDORA-201
http://www.debian.org/security/2017/dsa-3934http://www.securityfocus.com/bid/100283http://www.securitytracker.com/id/1039131https://access.redhat.com/errata/RHSA-2017:2484https://access.redhat.com/errata/RHSA-2017:2485https://access.redhat.com/errata/RHSA-2017:2491https://access.redhat.com/errata/RHSA-2017:2674https://access.redhat.com/errata/RHSA-2017:2675https://security.gentoo.org/glsa/201709-10https://support.apple.com/HT208103https://www.exploit-db.com/exploits/42599/https://www.mail-archive.com/linux-kernel%40vger.kernel.org/msg1466490.htmlhttp://www.debian.org/security/2017/dsa-3934http://www.securityfocus.com/bid/100283http://www.securitytracker.com/id/1039131https://access.redhat.com/errata/RHSA-2017:2484https://access.redhat.com/errata/RHSA-2017:2485https://access.redhat.com/errata/RHSA-2017:2491https://access.redhat.com/errata/RHSA-2017:2674https://access.redhat.com/errata/RHSA-2017:2675https://security.gentoo.org/glsa/201709-10https://support.apple.com/HT208103https://www.exploit-db.com/exploits/42599/https://www.mail-archive.com/linux-kernel%40vger.kernel.org/msg1466490.html
2017-10-05
Published