CVE-2017-14867OS Command Injection in GIT

CWE-78OS Command InjectionCWE-20Improper Input Validation9 documents9 sources
Severity
8.8HIGHNVD
EPSS
7.0%
top 8.53%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
GITGit-scm GITDebian Linux
Timeline
PublishedSep 29
Latest updateMay 13

Description

Git before 2.10.5, 2.11.x before 2.11.4, 2.12.x before 2.12.5, 2.13.x before 2.13.6, and 2.14.x before 2.14.2 uses unsafe Perl scripts to support subcommands such as cvsserver, which allows attackers to execute arbitrary OS commands via shell metacharacters in a module name. The vulnerable code is reachable via git-shell even without CVS support.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

Debiangit/git< 1:2.14.2-1+3
NVDgit-scm/git2.10.4+17

Also affects: Debian Linux 8.0, 9.0

🔴Vulnerability Details

3
GHSA
GHSA-h66v-9g4g-85x5: Git before 22022-05-13
OSV
CVE-2017-14867: Git before 22017-09-29
CVEList
CVE-2017-14867: Git before 22017-09-28

📋Vendor Advisories

4
Ubuntu
Git vulnerability2017-10-05
Red Hat
git: cvsserver command injection2017-09-26
Microsoft
Git before 2.10.5, 2.11.x before 2.11.4, 2.12.x before 2.12.5, 2.13.x before 2.13.6, and 2.14.x before 2.14.2 uses unsafe Perl scripts to support subcommands such as cvsserver, which allows attackers 2017-09-12
Debian
CVE-2017-14867: git - Git before 2.10.5, 2.11.x before 2.11.4, 2.12.x before 2.12.5, 2.13.x before 2.1...2017

💬Community

1
Bugzilla
CVE-2017-14867 git: cvsserver command injection2017-09-27
CVE-2017-14867 — OS Command Injection in Git-scm GIT | cvebase