CVE-2017-8386
published 2017-06-01CVE-2017-8386: git-shell in git before 2.4.12, 2.5.x before 2.5.6, 2.6.x before 2.6.7, 2.7.x before 2.7.5, 2.8.x before 2.8.5, 2.9.x before 2.9.4, 2.10.x before 2.10.3…
PriorityP258high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EPSS
11.73%
95.5th percentile
git-shell in git before 2.4.12, 2.5.x before 2.5.6, 2.6.x before 2.6.7, 2.7.x before 2.7.5, 2.8.x before 2.8.5, 2.9.x before 2.9.4, 2.10.x before 2.10.3, 2.11.x before 2.11.2, and 2.12.x before 2.12.3 might allow remote authenticated users to gain privileges via a repository name that starts with a - (dash) character.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | git | < git 1:2.11.0-3 (bookworm) | git 1:2.11.0-3 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| git | git | >= 0 < 1:2.11.0-3 | 1:2.11.0-3 |
| git | git | >= 0 < 1:2.11.0-3 | 1:2.11.0-3 |
| git | git | >= 0 < 1:2.11.0-3 | 1:2.11.0-3 |
| git | git | >= 0 < 1:2.11.0-3 | 1:2.11.0-3 |
| opensuse | leap | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor git-shell sessions for repository names beginning with a dash (-) character, which can be used to inject command-line options and escape the restricted shell. ↗
- →Detect abuse of the 'less' pager spawned via crafted git-shell command-line options; look for 'less' processes spawned as children of git-shell over SSH sessions. ↗
- →Alert on SSH-initiated 'git upload-pack --help' invocations, which trigger the interactive pager and can be used to escape git-shell restrictions. ↗
- →This vulnerability only affects servers explicitly configured to use git-shell as a login shell; scope detection efforts to such systems. ↗
- ·Red Hat Enterprise Linux 6 will NOT receive a fix for this CVE; deployments on RHEL 6 using git-shell remain permanently exposed. ↗
- ·Exploitation requires the attacker to be a remote authenticated user; unauthenticated attackers cannot exploit this vulnerability. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
osv8.8HIGH
vendor_debian8.8HIGH
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Git vulnerability
vendor_ubuntu·2017-05-15
CVE-2017-8386 Git vulnerability
Title: Git vulnerability
Summary: Git could be made to expose sensitive information over the network.
Timo Schmid discovered that the Git restricted shell incorrectly filtered
allowed commands. A remote attacker could possibly use this issue to run an
interactive pager and access sensitive information.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
git: Escape out of git-shell
vendor_redhat·2017-05-05·CVSS 8.8
CVE-2017-8386 [HIGH] git: Escape out of git-shell
git: Escape out of git-shell
git-shell in git before 2.4.12, 2.5.x before 2.5.6, 2.6.x before 2.6.7, 2.7.x before 2.7.5, 2.8.x before 2.8.5, 2.9.x before 2.9.4, 2.10.x before 2.10.3, 2.11.x before 2.11.2, and 2.12.x before 2.12.3 might allow remote authenticated users to gain privileges via a repository name that starts with a - (dash) character.
A flaw was found in the way git-shell handled command-line options for the restricted set of git-shell commands. A remote, authenticated attacker could use this flaw to bypass git-shell restrictions, to view and manipulate files, by abusing the instance of the less command launched using crafted command-line options.
Package: git (Red Hat Enterprise Linux 6) - Will not fix
Debian
CVE-2017-8386: git - git-shell in git before 2.4.12, 2.5.x before 2.5.6, 2.6.x before 2.6.7, 2.7.x be...
vendor_debian·2017·CVSS 8.8
CVE-2017-8386 [HIGH] CVE-2017-8386: git - git-shell in git before 2.4.12, 2.5.x before 2.5.6, 2.6.x before 2.6.7, 2.7.x be...
git-shell in git before 2.4.12, 2.5.x before 2.5.6, 2.6.x before 2.6.7, 2.7.x before 2.7.5, 2.8.x before 2.8.5, 2.9.x before 2.9.4, 2.10.x before 2.10.3, 2.11.x before 2.11.2, and 2.12.x before 2.12.3 might allow remote authenticated users to gain privileges via a repository name that starts with a - (dash) character.
Scope: local
bookworm: resolved (fixed in 1:2.11.0-3)
bullseye: resolved (fixed in 1:2.11.0-3)
forky: resolved (fixed in 1:2.11.0-3)
sid: resolved (fixed in 1:2.11.0-3)
trixie: resolved (fixed in 1:2.11.0-3)
GHSA
GHSA-xqh5-ghjx-6xv5: git-shell in git before 2
ghsa_unreviewed·2022-05-13
CVE-2017-8386 [HIGH] GHSA-xqh5-ghjx-6xv5: git-shell in git before 2
git-shell in git before 2.4.12, 2.5.x before 2.5.6, 2.6.x before 2.6.7, 2.7.x before 2.7.5, 2.8.x before 2.8.5, 2.9.x before 2.9.4, 2.10.x before 2.10.3, 2.11.x before 2.11.2, and 2.12.x before 2.12.3 might allow remote authenticated users to gain privileges via a repository name that starts with a - (dash) character.
OSV
CVE-2017-8386: git-shell in git before 2
osv·2017-06-01·CVSS 8.8
CVE-2017-8386 [HIGH] CVE-2017-8386: git-shell in git before 2
git-shell in git before 2.4.12, 2.5.x before 2.5.6, 2.6.x before 2.6.7, 2.7.x before 2.7.5, 2.8.x before 2.8.5, 2.9.x before 2.9.4, 2.10.x before 2.10.3, 2.11.x before 2.11.2, and 2.12.x before 2.12.3 might allow remote authenticated users to gain privileges via a repository name that starts with a - (dash) character.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2017-8386 git: Escape out of git-shell
bugzilla·2017-05-12·CVSS 8.8
CVE-2017-8386 [HIGH] CVE-2017-8386 git: Escape out of git-shell
CVE-2017-8386 git: Escape out of git-shell
A vulnerability was found in git concerning the git shell. A user who comes over SSH could run an interactive pager by causing it to spawn "git upload-pack --help".
"git-shell" is a restricted login shell that can be used on a server to prevent SSH clients from running any programs except those needed for git fetches and pushes. If you are not running a server, or if your server has not been explicitly configured to use git-shell as a login shell, you are not affected.
Upstream patch:
https://kernel.googlesource.com/pub/scm/git/git/+/3ec804490a265f4c418a321428c12f3f18b7eff5
References:
https://insinuator.net/2017/05/git-shell-bypass-by-abusing-less-cve-2017-8386/
http://public-inbox.org/git/[email protected]/
Dis
Bugzilla
CVE-2017-8386 git: Escape out of git-shell [fedora-all]
bugzilla·2017-05-12·CVSS 8.8
CVE-2017-8386 [HIGH] CVE-2017-8386 git: Escape out of git-shell [fedora-all]
CVE-2017-8386 git: Escape out of git-shell [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
http://lists.opensuse.org/opensuse-updates/2017-05/msg00090.htmlhttp://public-inbox.org/git/xmqq8tm5ziat.fsf%40gitster.mtv.corp.google.com/http://www.debian.org/security/2017/dsa-3848http://www.securityfocus.com/bid/98409http://www.securitytracker.com/id/1038479http://www.ubuntu.com/usn/USN-3287-1https://access.redhat.com/errata/RHSA-2017:2004https://access.redhat.com/errata/RHSA-2017:2491https://insinuator.net/2017/05/git-shell-bypass-by-abusing-less-cve-2017-8386/https://kernel.googlesource.com/pub/scm/git/git/+/3ec804490a265f4c418a321428c12f3f18b7eff5https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3ISHYFLM2ACYHHY3JHCLF75X7UF4ZMDM/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DPYRN7APMHY4ZFDPAKD22J5R4QJFY2JP/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FDS3LSJJ3YGGQYIVPKQDVOCXWDSF6JGF/https://security.gentoo.org/glsa/201706-04http://lists.opensuse.org/opensuse-updates/2017-05/msg00090.htmlhttp://public-inbox.org/git/xmqq8tm5ziat.fsf%40gitster.mtv.corp.google.com/http://www.debian.org/security/2017/dsa-3848http://www.securityfocus.com/bid/98409http://www.securitytracker.com/id/1038479http://www.ubuntu.com/usn/USN-3287-1https://access.redhat.com/errata/RHSA-2017:2004https://access.redhat.com/errata/RHSA-2017:2491https://insinuator.net/2017/05/git-shell-bypass-by-abusing-less-cve-2017-8386/https://kernel.googlesource.com/pub/scm/git/git/+/3ec804490a265f4c418a321428c12f3f18b7eff5https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3ISHYFLM2ACYHHY3JHCLF75X7UF4ZMDM/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DPYRN7APMHY4ZFDPAKD22J5R4QJFY2JP/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FDS3LSJJ3YGGQYIVPKQDVOCXWDSF6JGF/https://security.gentoo.org/glsa/201706-04
2017-06-01
Published