CVE-2017-14867

Sažetak

Git before 2.10.5, 2.11.x before 2.11.4, 2.12.x before 2.12.5, 2.13.x before 2.13.6, and 2.14.x before 2.14.2 uses unsafe Perl scripts to support subcommands such as cvsserver, which allows attackers to execute arbitrary OS commands via shell metacharacters in a module name. The vulnerable code is reachable via git-shell even without CVS support.

Reference

https://www.debian.org/security/2017/dsa-3984
https://lists.debian.org/debian-security-announce/2017/msg00246.html
https://bugs.debian.org/876854
http://www.openwall.com/lists/oss-security/2017/09/26/9
http://www.securitytracker.com/id/1039431
http://www.securityfocus.com/bid/101060
https://public-inbox.org/git/xmqqy3p29ekj.fsf%40gitster.mtv.corp.google.com/T/#u

CVSS

Base:	9.0
Impact:	10.0
Exploitability:	8.0

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	SINGLE

Impact

Povjerljivost	Cjelovitost	Dostupnost
COMPLETE	COMPLETE	COMPLETE

CVSS vektor

AV:N/AC:L/Au:S/C:C/I:C/A:C

Zadnje važnije ažuriranje

07-11-2023 - 02:39

Objavljeno

29-09-2017 - 01:34