CVE-2017-17831 Information

Feb 14, 2021 cve

Description

GitHub Git LFS before 2.1.1 allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname located on a \url =\ line in a .lfsconfig file within a repository.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Reference

http://blog.recurity-labs.com/2017-08-10/scm-vulns http://www.securityfocus.com/bid/102926 https://confluence.atlassian.com/sourcetreekb/sourcetree-security-advisory-2018-01-24-942834324.html https://github.com/git-lfs/git-lfs/pull/2242 https://github.com/git-lfs/git-lfs/releases/tag/v2.1.1 GitHub Git LFS before 2.1.1 allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname located on a \url =
line in a .lfsconfig file within a repository.

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

REQUIRED

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

8.8

Share on: