Vulnerability Description
GitHub Git LFS before 2.1.1 allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, located on a "url =" line in a .lfsconfig file within a repository.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Git Large File Storage Project | Git Large File Storage | < 2.1.1 |
Related Weaknesses (CWE)
References
- http://blog.recurity-labs.com/2017-08-10/scm-vulnsExploitThird Party Advisory
- http://www.securityfocus.com/bid/102926Third Party AdvisoryVDB Entry
- https://confluence.atlassian.com/sourcetreekb/sourcetree-security-advisory-2018-Third Party Advisory
- https://github.com/git-lfs/git-lfs/pull/2242PatchThird Party Advisory
- https://github.com/git-lfs/git-lfs/releases/tag/v2.1.1Release NotesThird Party Advisory
- http://blog.recurity-labs.com/2017-08-10/scm-vulnsExploitThird Party Advisory
- http://www.securityfocus.com/bid/102926Third Party AdvisoryVDB Entry
- https://confluence.atlassian.com/sourcetreekb/sourcetree-security-advisory-2018-Third Party Advisory
- https://github.com/git-lfs/git-lfs/pull/2242PatchThird Party Advisory
- https://github.com/git-lfs/git-lfs/releases/tag/v2.1.1Release NotesThird Party Advisory
FAQ
What is CVE-2017-17831?
CVE-2017-17831 is a vulnerability with a CVSS score of 8.8 (HIGH). GitHub Git LFS before 2.1.1 allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, located on a "url =" line in a .lfsconfig file within a...
How severe is CVE-2017-17831?
CVE-2017-17831 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-17831?
Check the references section above for vendor advisories and patch information. Affected products include: Git Large File Storage Project Git Large File Storage.