cbcvebase.
CVE-2017-14867
published 2017-09-29

CVE-2017-14867: Git before 2.10.5, 2.11.x before 2.11.4, 2.12.x before 2.12.5, 2.13.x before 2.13.6, and 2.14.x before 2.14.2 uses unsafe Perl scripts to support subcommands…

PriorityP267high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EPSS
36.00%
98.3th percentile
Git before 2.10.5, 2.11.x before 2.11.4, 2.12.x before 2.12.5, 2.13.x before 2.13.6, and 2.14.x before 2.14.2 uses unsafe Perl scripts to support subcommands such as cvsserver, which allows attackers to execute arbitrary OS commands via shell metacharacters in a module name. The vulnerable code is reachable via git-shell even without CVS support.

Affected

27 ranges· showing 25
VendorProductVersion rangeFixed in
debiandebian_linux
debiandebian_linux
debiangit< git 1:2.14.2-1 (bookworm)git 1:2.14.2-1 (bookworm)
git-scmgit<= 2.10.4
git-scmgit
git-scmgit
git-scmgit
git-scmgit
git-scmgit
git-scmgit
git-scmgit
git-scmgit
git-scmgit
git-scmgit
git-scmgit
git-scmgit
git-scmgit
git-scmgit
git-scmgit
git-scmgit
git-scmgit
gitgit>= 0 < 1:2.14.2-11:2.14.2-1
gitgit>= 0 < 1:2.14.2-11:2.14.2-1
gitgit>= 0 < 1:2.14.2-11:2.14.2-1
gitgit>= 0 < 1:2.14.2-11:2.14.2-1

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerability is triggered via shell metacharacters in a CVS module name passed to git-cvsserver (a Perl script). Monitor for git-shell or git-cvsserver invocations containing shell metacharacters (e.g., backticks, semicolons, pipes, $()) in module name arguments.
  • git-cvsserver is reachable via git-shell even without CVS explicitly configured — monitor git-shell sessions that invoke cvsserver subcommands.
  • The vulnerable code path uses Perl backtick operators to invoke git with user-supplied input. Look for unexpected child processes (e.g., /bin/sh) spawned from git-cvsserver or perl processes handling git subcommands.
  • git-cvsserver will be invoked by git-shell by default without further configuration — audit git-shell allowed commands lists for presence of cvsserver.
  • ·Systems are only vulnerable if the git-cvs package is installed. Removing it mitigates the vulnerability.
  • ·The Ubuntu fix also removes the cvsserver subcommand from git-shell by default, which is a configuration hardening measure to detect/prevent exploitation.
  • ·Affected git versions: before 2.10.5, 2.11.x before 2.11.4, 2.12.x before 2.12.5, 2.13.x before 2.13.6, and 2.14.x before 2.14.2.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
osv8.8HIGH
vendor_debian8.8HIGH
vendor_msrc8.8HIGH
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.