CVE-2017-14867
HIGHgit < 2.10.4 - OS Command Injection via Unsafe Perl Scripts in CVS Subcommands
Title source: manualDescription
Git before 2.10.5, 2.11.x before 2.11.4, 2.12.x before 2.12.5, 2.13.x before 2.13.6, and 2.14.x before 2.14.2 uses unsafe Perl scripts to support subcommands such as cvsserver, which allows attackers to execute arbitrary OS commands via shell metacharacters in a module name. The vulnerable code is reachable via git-shell even without CVS support.
References (7)
Core 7
Core References
Mailing List, Third Party Advisory x_refsource_confirm
http://www.openwall.com/lists/oss-security/2017/09/26/9
Issue Tracking, Mailing List, Third Party Advisory x_refsource_confirm
https://bugs.debian.org/876854
Mailing List, Third Party Advisory x_refsource_confirm
https://lists.debian.org/debian-security-announce/2017/msg00246.html
Various Sources x_refsource_confirm
https://public-inbox.org/git/xmqqy3p29ekj.fsf%40gitster.mtv.corp.google.com/T/#u
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1039431
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/101060
Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2017/dsa-3984
Scores
CVSS v3
8.8
EPSS
0.3600
EPSS Percentile
98.3%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-78
Status
published
Products (20)
debian/debian_linux
8.0
debian/debian_linux
9.0
git-scm/git
2.11.0
git-scm/git
2.11.1
git-scm/git
2.11.2
git-scm/git
2.11.3
git-scm/git
2.12.0
git-scm/git
2.12.1
git-scm/git
2.12.2
git-scm/git
2.12.3
... and 10 more
Published
Sep 29, 2017
Tracked Since
Feb 18, 2026