CVE-2017-12976

HIGH8.8EPSS 0.27%

git-annex - security update

Published: 11/14/2025Modified: 3/9/2026

Also known as:DEBIAN-CVE-2017-12976DLA-1144-1HSEC-2023-0009

Description

git-annex before 6.20170818 allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, as demonstrated by an ssh://-eProxyCommand= URL, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-1000116, and CVE-2017-1000117.

Affected packages (5)

Debian/git-annexfrom 0, < 6.20170818-1
Debian/git-annexfrom 0, < 3.20120629+deb7u1
Debian/git-annexfrom 0, < 5.20141125+oops-1+deb8u2
Debian/git-annexfrom 0, < 5.20141125+deb8u1
Hackage/git-annexfrom 0, < 6.20170818

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References (3)

ADVISORYhttps://git-annex.branchable.com/security/CVE-2017-12976/
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2017-12976
PATCHhttp://source.git-annex.branchable.com/?p=source.git;a=commitdiff;h=df11e54788b254efebb4898b474de11ae8d3b471