cbcvebase.
CVE-2017-8386
published 2017-06-01

CVE-2017-8386: git-shell in git before 2.4.12, 2.5.x before 2.5.6, 2.6.x before 2.6.7, 2.7.x before 2.7.5, 2.8.x before 2.8.5, 2.9.x before 2.9.4, 2.10.x before 2.10.3…

PriorityP258high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EPSS
11.73%
95.5th percentile
git-shell in git before 2.4.12, 2.5.x before 2.5.6, 2.6.x before 2.6.7, 2.7.x before 2.7.5, 2.8.x before 2.8.5, 2.9.x before 2.9.4, 2.10.x before 2.10.3, 2.11.x before 2.11.2, and 2.12.x before 2.12.3 might allow remote authenticated users to gain privileges via a repository name that starts with a - (dash) character.

Affected

14 ranges
VendorProductVersion rangeFixed in
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
debiandebian_linux
debiangit< git 1:2.11.0-3 (bookworm)git 1:2.11.0-3 (bookworm)
fedoraprojectfedora
fedoraprojectfedora
fedoraprojectfedora
gitgit>= 0 < 1:2.11.0-31:2.11.0-3
gitgit>= 0 < 1:2.11.0-31:2.11.0-3
gitgit>= 0 < 1:2.11.0-31:2.11.0-3
gitgit>= 0 < 1:2.11.0-31:2.11.0-3
opensuseleap

Detection & IOCsextracted from sources · hover to see the quote

commandgit upload-pack --help
  • Monitor git-shell sessions for repository names beginning with a dash (-) character, which can be used to inject command-line options and escape the restricted shell.
  • Detect abuse of the 'less' pager spawned via crafted git-shell command-line options; look for 'less' processes spawned as children of git-shell over SSH sessions.
  • Alert on SSH-initiated 'git upload-pack --help' invocations, which trigger the interactive pager and can be used to escape git-shell restrictions.
  • This vulnerability only affects servers explicitly configured to use git-shell as a login shell; scope detection efforts to such systems.
  • ·Red Hat Enterprise Linux 6 will NOT receive a fix for this CVE; deployments on RHEL 6 using git-shell remain permanently exposed.
  • ·Exploitation requires the attacker to be a remote authenticated user; unauthenticated attackers cannot exploit this vulnerability.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
osv8.8HIGH
vendor_debian8.8HIGH
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.