Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
8.8
CVSSv3

CVE-2017-14867

Published: 29/09/2017 Updated: 07/11/2023
CVSS v2 Base Score: 9 | Impact Score: 10 | Exploitability Score: 8
CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8
VMScore: 801
Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C
Subscribe to Git-scm

Vulnerability Summary

Git prior to 2.10.5, 2.11.x prior to 2.11.4, 2.12.x prior to 2.12.5, 2.13.x prior to 2.13.6, and 2.14.x prior to 2.14.2 uses unsafe Perl scripts to support subcommands such as cvsserver, which allows malicious users to execute arbitrary OS commands via shell metacharacters in a module name. The vulnerable code is reachable via git-shell even without CVS support.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

git-scm git 2.11.0

git-scm git 2.11.1

git-scm git 2.11.2

git-scm git 2.11.3

git-scm git 2.12.0

git-scm git 2.12.1

git-scm git 2.12.2

git-scm git 2.12.3

git-scm git 2.12.4

git-scm git 2.13.0

git-scm git 2.13.1

git-scm git 2.13.2

git-scm git 2.13.3

git-scm git 2.13.4

git-scm git 2.13.5

git-scm git 2.14.0

git-scm git 2.14.1

git-scm git

debian debian linux 8.0

debian debian linux 9.0

Vendor Advisories

Debian CVElist Bug Report Logs: git: CVE-2017-14867: cvsserver OS command injection
Debian Bug report logs - #876854 git: CVE-2017-14867: cvsserver OS command injection Package: src:git; Maintainer for src:git is Gerrit Pape <pape@smardenorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Tue, 26 Sep 2017 11:21:04 UTC Severity: grave Tags: fixed-upstream, security, upstream Found in ...
Ubuntu Security Notice: git vulnerability
Git be made to run programs if it processed a specially crafted file ...
Debian Security Advisories: DSA-3984-1 git -- security update
joernchen discovered that the git-cvsserver subcommand of Git, a distributed version control system, suffers from a shell command injection vulnerability due to unsafe use of the Perl backtick operator The git-cvsserver subcommand is reachable from the git-shell subcommand even if CVS support has not been configured (however, the git-cvs package n ...

References

CWE-78https://www.debian.org/security/2017/dsa-3984https://lists.debian.org/debian-security-announce/2017/msg00246.htmlhttps://bugs.debian.org/876854http://www.openwall.com/lists/oss-security/2017/09/26/9http://www.securitytracker.com/id/1039431http://www.securityfocus.com/bid/101060https://public-inbox.org/git/xmqqy3p29ekj.fsf%40gitster.mtv.corp.google.com/T/#uhttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876854https://usn.ubuntu.com/3438-1/https://nvd.nist.gov
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-2907hardcodedinjectCVE-2024-20359CVE-2024-2467CVE-2024-4077CVE-2024-22391cameraCVE-2024-20353
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook