CVE-2017-14867
published 2017-09-29CVE-2017-14867: Git before 2.10.5, 2.11.x before 2.11.4, 2.12.x before 2.12.5, 2.13.x before 2.13.6, and 2.14.x before 2.14.2 uses unsafe Perl scripts to support subcommands…
PriorityP267high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EPSS
36.00%
98.3th percentile
Git before 2.10.5, 2.11.x before 2.11.4, 2.12.x before 2.12.5, 2.13.x before 2.13.6, and 2.14.x before 2.14.2 uses unsafe Perl scripts to support subcommands such as cvsserver, which allows attackers to execute arbitrary OS commands via shell metacharacters in a module name. The vulnerable code is reachable via git-shell even without CVS support.
Affected
27 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | git | < git 1:2.14.2-1 (bookworm) | git 1:2.14.2-1 (bookworm) |
| git-scm | git | <= 2.10.4 | — |
| git-scm | git | — | — |
| git-scm | git | — | — |
| git-scm | git | — | — |
| git-scm | git | — | — |
| git-scm | git | — | — |
| git-scm | git | — | — |
| git-scm | git | — | — |
| git-scm | git | — | — |
| git-scm | git | — | — |
| git-scm | git | — | — |
| git-scm | git | — | — |
| git-scm | git | — | — |
| git-scm | git | — | — |
| git-scm | git | — | — |
| git-scm | git | — | — |
| git-scm | git | — | — |
| git-scm | git | — | — |
| git | git | >= 0 < 1:2.14.2-1 | 1:2.14.2-1 |
| git | git | >= 0 < 1:2.14.2-1 | 1:2.14.2-1 |
| git | git | >= 0 < 1:2.14.2-1 | 1:2.14.2-1 |
| git | git | >= 0 < 1:2.14.2-1 | 1:2.14.2-1 |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerability is triggered via shell metacharacters in a CVS module name passed to git-cvsserver (a Perl script). Monitor for git-shell or git-cvsserver invocations containing shell metacharacters (e.g., backticks, semicolons, pipes, $()) in module name arguments. ↗
- →git-cvsserver is reachable via git-shell even without CVS explicitly configured — monitor git-shell sessions that invoke cvsserver subcommands. ↗
- →The vulnerable code path uses Perl backtick operators to invoke git with user-supplied input. Look for unexpected child processes (e.g., /bin/sh) spawned from git-cvsserver or perl processes handling git subcommands. ↗
- →git-cvsserver will be invoked by git-shell by default without further configuration — audit git-shell allowed commands lists for presence of cvsserver. ↗
- ·Systems are only vulnerable if the git-cvs package is installed. Removing it mitigates the vulnerability. ↗
- ·The Ubuntu fix also removes the cvsserver subcommand from git-shell by default, which is a configuration hardening measure to detect/prevent exploitation. ↗
- ·Affected git versions: before 2.10.5, 2.11.x before 2.11.4, 2.12.x before 2.12.5, 2.13.x before 2.13.6, and 2.14.x before 2.14.2. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
osv8.8HIGH
vendor_debian8.8HIGH
vendor_msrc8.8HIGH
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Git vulnerability
vendor_ubuntu·2017-10-05
CVE-2017-14867 Git vulnerability
Title: Git vulnerability
Summary: Git be made to run programs if it processed a specially crafted file.
It was discovered that Git incorrectly handled certain subcommands such as
cvsserver. A remote attacker could possibly use this issue via shell
metacharacters in modules names to execute arbitrary code.
This update also removes the cvsserver subcommand from git-shell by
default.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
git: cvsserver command injection
vendor_redhat·2017-09-26·CVSS 8.8
CVE-2017-14867 [HIGH] CWE-20 git: cvsserver command injection
git: cvsserver command injection
Git before 2.10.5, 2.11.x before 2.11.4, 2.12.x before 2.12.5, 2.13.x before 2.13.6, and 2.14.x before 2.14.2 uses unsafe Perl scripts to support subcommands such as cvsserver, which allows attackers to execute arbitrary OS commands via shell metacharacters in a module name. The vulnerable code is reachable via git-shell even without CVS support.
Mitigation: In case you do not rely on the commands offered by the "-cvs" subpackage (for example "git cvsserver" or "git cvsimport") on RHEL or RHSCL, you can uninstall the git "-cvs" subpackage.
Package: jgit (Red Hat BPM Suite 6) - Not affected
Package: git (Red Hat Enterprise Linux 6) - Will not fix
Package: git (Red Hat Enterprise Linux 7) - Will not fix
Package: fabric8 (Red Hat JBoss A-MQ 6) - Not affe
Microsoft
Git before 2.10.5, 2.11.x before 2.11.4, 2.12.x before 2.12.5, 2.13.x before 2.13.6, and 2.14.x before 2.14.2 uses unsafe Perl scripts to support subcommands such as cvsserver, which allows attackers
vendor_msrc·2017-09-12·CVSS 8.8
CVE-2017-14867 [HIGH] CWE-78 Git before 2.10.5, 2.11.x before 2.11.4, 2.12.x before 2.12.5, 2.13.x before 2.13.6, and 2.14.x before 2.14.2 uses unsafe Perl scripts to support subcommands such as cvsserver, which allows attackers
Git before 2.10.5, 2.11.x before 2.11.4, 2.12.x before 2.12.5, 2.13.x before 2.13.6, and 2.14.x before 2.14.2 uses unsafe Perl scripts to support subcommands such as cvsserver, which allows attackers to execute arbitrary OS commands via shell metacharacters in a module name. The vulnerable code is reachable via git-shell even without CVS support.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we be
Debian
CVE-2017-14867: git - Git before 2.10.5, 2.11.x before 2.11.4, 2.12.x before 2.12.5, 2.13.x before 2.1...
vendor_debian·2017·CVSS 8.8
CVE-2017-14867 [HIGH] CVE-2017-14867: git - Git before 2.10.5, 2.11.x before 2.11.4, 2.12.x before 2.12.5, 2.13.x before 2.1...
Git before 2.10.5, 2.11.x before 2.11.4, 2.12.x before 2.12.5, 2.13.x before 2.13.6, and 2.14.x before 2.14.2 uses unsafe Perl scripts to support subcommands such as cvsserver, which allows attackers to execute arbitrary OS commands via shell metacharacters in a module name. The vulnerable code is reachable via git-shell even without CVS support.
Scope: local
bookworm: resolved (fixed in 1:2.14.2-1)
bullseye: resolved (fixed in 1:2.14.2-1)
forky: resolved (fixed in 1:2.14.2-1)
sid: resolved (fixed in 1:2.14.2-1)
trixie: resolved (fixed in 1:2.14.2-1)
GHSA
GHSA-h66v-9g4g-85x5: Git before 2
ghsa_unreviewed·2022-05-13
CVE-2017-14867 [HIGH] CWE-78 GHSA-h66v-9g4g-85x5: Git before 2
Git before 2.10.5, 2.11.x before 2.11.4, 2.12.x before 2.12.5, 2.13.x before 2.13.6, and 2.14.x before 2.14.2 uses unsafe Perl scripts to support subcommands such as cvsserver, which allows attackers to execute arbitrary OS commands via shell metacharacters in a module name. The vulnerable code is reachable via git-shell even without CVS support.
OSV
CVE-2017-14867: Git before 2
osv·2017-09-29·CVSS 8.8
CVE-2017-14867 [HIGH] CVE-2017-14867: Git before 2
Git before 2.10.5, 2.11.x before 2.11.4, 2.12.x before 2.12.5, 2.13.x before 2.13.6, and 2.14.x before 2.14.2 uses unsafe Perl scripts to support subcommands such as cvsserver, which allows attackers to execute arbitrary OS commands via shell metacharacters in a module name. The vulnerable code is reachable via git-shell even without CVS support.
No detection rules found.
No public exploits indexed.
http://www.openwall.com/lists/oss-security/2017/09/26/9http://www.securityfocus.com/bid/101060http://www.securitytracker.com/id/1039431https://bugs.debian.org/876854https://lists.debian.org/debian-security-announce/2017/msg00246.htmlhttps://public-inbox.org/git/xmqqy3p29ekj.fsf%40gitster.mtv.corp.google.com/T/#uhttps://www.debian.org/security/2017/dsa-3984http://www.openwall.com/lists/oss-security/2017/09/26/9http://www.securityfocus.com/bid/101060http://www.securitytracker.com/id/1039431https://bugs.debian.org/876854https://lists.debian.org/debian-security-announce/2017/msg00246.htmlhttps://public-inbox.org/git/xmqqy3p29ekj.fsf%40gitster.mtv.corp.google.com/T/#uhttps://www.debian.org/security/2017/dsa-3984
2017-09-29
Published