Vulnerability Description
git-shell in git before 2.4.12, 2.5.x before 2.5.6, 2.6.x before 2.6.7, 2.7.x before 2.7.5, 2.8.x before 2.8.5, 2.9.x before 2.9.4, 2.10.x before 2.10.3, 2.11.x before 2.11.2, and 2.12.x before 2.12.3 might allow remote authenticated users to gain privileges via a repository name that starts with a - (dash) character.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Git | Git-Shell | - |
| Opensuse | Leap | 42.1 |
| Debian | Debian Linux | 8.0 |
| Canonical | Ubuntu Linux | 14.04 |
| Fedoraproject | Fedora | 24 |
References
- http://lists.opensuse.org/opensuse-updates/2017-05/msg00090.htmlMailing ListThird Party Advisory
- http://public-inbox.org/git/xmqq8tm5ziat.fsf%40gitster.mtv.corp.google.com/
- http://www.debian.org/security/2017/dsa-3848Third Party AdvisoryVDB Entry
- http://www.securityfocus.com/bid/98409Third Party AdvisoryVDB Entry
- http://www.securitytracker.com/id/1038479Third Party Advisory
- http://www.ubuntu.com/usn/USN-3287-1ExploitThird Party Advisory
- https://access.redhat.com/errata/RHSA-2017:2004
- https://access.redhat.com/errata/RHSA-2017:2491
- https://insinuator.net/2017/05/git-shell-bypass-by-abusing-less-cve-2017-8386/MitigationThird Party Advisory
- https://kernel.googlesource.com/pub/scm/git/git/+/3ec804490a265f4c418a321428c12fThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://security.gentoo.org/glsa/201706-04
- http://lists.opensuse.org/opensuse-updates/2017-05/msg00090.htmlMailing ListThird Party Advisory
FAQ
What is CVE-2017-8386?
CVE-2017-8386 is a vulnerability with a CVSS score of 8.8 (HIGH). git-shell in git before 2.4.12, 2.5.x before 2.5.6, 2.6.x before 2.6.7, 2.7.x before 2.7.5, 2.8.x before 2.8.5, 2.9.x before 2.9.4, 2.10.x before 2.10.3, 2.11.x before 2.11.2, and 2.12.x before 2.12.3...
How severe is CVE-2017-8386?
CVE-2017-8386 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-8386?
Check the references section above for vendor advisories and patch information. Affected products include: Git Git-Shell, Opensuse Leap, Debian Debian Linux, Canonical Ubuntu Linux, Fedoraproject Fedora.