9

CVE-2017-14867

Git before 2.10.5, 2.11.x before 2.11.4, 2.12.x before 2.12.5, 2.13.x before 2.13.6, and 2.14.x before 2.14.2 uses unsafe Perl scripts to support subcommands such as cvsserver, which allows attackers to execute arbitrary OS commands via shell metacharacters in a module name. The vulnerable code is reachable via git-shell even without CVS support.

Data is provided by the National Vulnerability Database (NVD)
Git-scmGit Version <= 2.10.4
Git-scmGit Version2.11.0
Git-scmGit Version2.11.1
Git-scmGit Version2.11.2
Git-scmGit Version2.11.3
Git-scmGit Version2.12.0
Git-scmGit Version2.12.1
Git-scmGit Version2.12.2
Git-scmGit Version2.12.3
Git-scmGit Version2.12.4
Git-scmGit Version2.13.0
Git-scmGit Version2.13.1
Git-scmGit Version2.13.2
Git-scmGit Version2.13.3
Git-scmGit Version2.13.4
Git-scmGit Version2.13.5
Git-scmGit Version2.14.0
Git-scmGit Version2.14.1
DebianDebian Linux Version8.0
DebianDebian Linux Version9.0
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 6.97% 0.911
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 8.8 2.8 5.9
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 9 8 10
AV:N/AC:L/Au:S/C:C/I:C/A:C
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

http://www.securityfocus.com/bid/101060
Third Party Advisory
VDB Entry
http://www.securitytracker.com/id/1039431
Third Party Advisory
VDB Entry
https://bugs.debian.org/876854
Third Party Advisory
Mailing List
Issue Tracking