CVE-2017-14867

HIGH

git < 2.10.4 - OS Command Injection via Unsafe Perl Scripts in CVS Subcommands

Title source: manual
STIX 2.1

Description

Git before 2.10.5, 2.11.x before 2.11.4, 2.12.x before 2.12.5, 2.13.x before 2.13.6, and 2.14.x before 2.14.2 uses unsafe Perl scripts to support subcommands such as cvsserver, which allows attackers to execute arbitrary OS commands via shell metacharacters in a module name. The vulnerable code is reachable via git-shell even without CVS support.

References (7)

Core 7
Core References
Mailing List, Third Party Advisory x_refsource_confirm
http://www.openwall.com/lists/oss-security/2017/09/26/9
Issue Tracking, Mailing List, Third Party Advisory x_refsource_confirm
https://bugs.debian.org/876854
Mailing List, Third Party Advisory x_refsource_confirm
https://lists.debian.org/debian-security-announce/2017/msg00246.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1039431
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/101060
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2017/dsa-3984

Scores

CVSS v3 8.8
EPSS 0.3600
EPSS Percentile 98.3%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-78
Status published
Products (20)
debian/debian_linux 8.0
debian/debian_linux 9.0
git-scm/git 2.11.0
git-scm/git 2.11.1
git-scm/git 2.11.2
git-scm/git 2.11.3
git-scm/git 2.12.0
git-scm/git 2.12.1
git-scm/git 2.12.2
git-scm/git 2.12.3
... and 10 more
Published Sep 29, 2017
Tracked Since Feb 18, 2026