Vulnerability Description
git-annex before 6.20170818 allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, as demonstrated by an ssh://-eProxyCommand= URL, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-1000116, and CVE-2017-1000117.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Git-Annex Project | Git-Annex | <= 6.20170520 |
Related Weaknesses (CWE)
References
- http://source.git-annex.branchable.com/?p=source.git%3Ba=blob%3Bf=doc/bugs/dashe
- http://source.git-annex.branchable.com/?p=source.git%3Ba=commit%3Bh=c24d0f0e8984
- http://source.git-annex.branchable.com/?p=source.git%3Ba=commit%3Bh=df11e54788b2
- http://www.debian.org/security/2017/dsa-4010
- https://lists.debian.org/debian-lts-announce/2018/09/msg00004.html
- http://source.git-annex.branchable.com/?p=source.git%3Ba=blob%3Bf=doc/bugs/dashe
- http://source.git-annex.branchable.com/?p=source.git%3Ba=commit%3Bh=c24d0f0e8984
- http://source.git-annex.branchable.com/?p=source.git%3Ba=commit%3Bh=df11e54788b2
- http://www.debian.org/security/2017/dsa-4010
- https://lists.debian.org/debian-lts-announce/2018/09/msg00004.html
FAQ
What is CVE-2017-12976?
CVE-2017-12976 is a vulnerability with a CVSS score of 8.8 (HIGH). git-annex before 6.20170818 allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, as demonstrated by an ssh://-eProxyCommand= URL, a rela...
How severe is CVE-2017-12976?
CVE-2017-12976 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-12976?
Check the references section above for vendor advisories and patch information. Affected products include: Git-Annex Project Git-Annex.