Published: 01/06/2017 Updated: 07/11/2023

CVSS v2 Base Score: 6.5 | Impact Score: 6.4 | Exploitability Score: 8

CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8

VMScore: 580

Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P

git-shell in git prior to 2.4.12, 2.5.x prior to 2.5.6, 2.6.x prior to 2.6.7, 2.7.x prior to 2.7.5, 2.8.x prior to 2.8.5, 2.9.x prior to 2.9.4, 2.10.x prior to 2.10.3, 2.11.x prior to 2.11.2, and 2.12.x prior to 2.12.3 might allow remote authenticated users to gain privileges via a repository name that starts with a - (dash) character.

Vulnerable Product	Search on Vulmon	Subscribe to Product
git git-shell -
opensuse leap 42.1
debian debian linux 8.0
canonical ubuntu linux 16.10
canonical ubuntu linux 16.04
canonical ubuntu linux 14.04
canonical ubuntu linux 17.04
fedoraproject fedora 26
fedoraproject fedora 25
fedoraproject fedora 24

Git could be made to expose sensitive information over the network ...

Debian Bug report logs - #869639 firmware-brcm80211: BroadPwn vulnerability CVE-2017-9417 Package: firmware-brcm80211; Maintainer for firmware-brcm80211 is Debian Kernel Team <debian-kernel@listsdebianorg>; Source for firmware-brcm80211 is src:firmware-nonfree (PTS, buildd, popcon) Reported by: Mark Robinson <mark@zl2to ...

Escape out of git-shellA flaw was found in the way git-shell handled command-line options for the restricted set of git-shell commands A remote authenticated attacker could use this flaw to bypass git-shell restrictions, to view and manipulate files, by abusing the instance of the less command launched using crafted command-line options (CVE-2017 ...

A flaw was found in the way git-shell handled command-line options for the restricted set of git-shell commands A remote, authenticated attacker could use this flaw to bypass git-shell restrictions, to view and manipulate files, by abusing the instance of the less command launched using crafted command-line options ...

A security issue has been found in git < 2123, allowing a remote restricted user to execute an interactive pager on the server by causing it to spawn "git upload-pack --help" This is only an issue for servers running the "git-shell" restricted login shell ...

GIT-SHELL 沙盒绕过（CVE-2017-8386） GIT-SHELL 沙盒绕过（CVE-2017-8386）导致任意文件读取、可能的任意命令执行漏洞。参考链接： insinuatornet/2017/05/git-shell-bypass-by-abusing-less-cve-2017-8386/ wwwleavesongscom/PENETRATION/git-shell-cve-2017-8386html 测试环境编译及运行测试环境： docker-compose build doc

git-server-docker A Git Server Docker image built with ubuntu Build to illustrate wwwcvedetailscom/cve/CVE-2017-8386/ strongly inspired by githubcom/jkarlosb/git-server-docker vulnerability replay From a computer having git installed docker run -d -p 2222:22 -v ~/git-server/keys:/git-server/keys -v ~/git-server/repos:/git-server/repos git-server-dock

NVD-CWE-noinfo https://kernel.googlesource.com/pub/scm/git/git/+/3ec804490a265f4c418a321428c12f3f18b7eff5 https://insinuator.net/2017/05/git-shell-bypass-by-abusing-less-cve-2017-8386/http://www.ubuntu.com/usn/USN-3287-1 http://www.securitytracker.com/id/1038479 http://www.securityfocus.com/bid/98409 http://www.debian.org/security/2017/dsa-3848 http://lists.opensuse.org/opensuse-updates/2017-05/msg00090.html https://security.gentoo.org/glsa/201706-04 https://access.redhat.com/errata/RHSA-2017:2491 https://access.redhat.com/errata/RHSA-2017:2004 http://public-inbox.org/git/xmqq8tm5ziat.fsf%40gitster.mtv.corp.google.com/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3ISHYFLM2ACYHHY3JHCLF75X7UF4ZMDM/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DPYRN7APMHY4ZFDPAKD22J5R4QJFY2JP/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FDS3LSJJ3YGGQYIVPKQDVOCXWDSF6JGF/https://usn.ubuntu.com/3287-1/https://nvd.nist.gov

CVE-2017-8386

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Github Repositories

References

Vulmon Search

About

Products

Connect