CVE-2017-14867 Information

Feb 14, 2021 cve

Description

Git before 2.10.5 2.11.x before 2.11.4 2.12.x before 2.12.5 2.13.x before 2.13.6 and 2.14.x before 2.14.2 uses unsafe Perl scripts to support subcommands such as cvsserver which allows attackers to execute arbitrary OS commands via shell metacharacters in a module name. The vulnerable code is reachable via git-shell even without CVS support.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Reference

http://www.openwall.com/lists/oss-security/2017/09/26/9 http://www.securityfocus.com/bid/101060 http://www.securitytracker.com/id/1039431 https://bugs.debian.org/876854 https://lists.debian.org/debian-security-announce/2017/msg00246.html https://public-inbox.org/git/xmqqy3p29ekj.fsf@gitster.mtv.corp.google.com/T/u https://www.debian.org/security/2017/dsa-3984

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

8.8

Share on: