CVE-2017-17831
HIGH8.8EPSS 0.72%Arbitrary command execution in github.com/git-lfs/git-lfs
發布日:2022/5/14修改日:2024/6/3
描述
Arbitrary command execution can be triggered by improperly sanitized SSH URLs in LFS configuration files. This can be triggered by cloning a malicious repository.
受影響套件(2)
- Go/github.com/git-lfs/git-lfsfrom 0, < 2.1.1-0.20170519163204-f913f5f9c7c6
- Go/github.com/git-lfs/git-lfsfrom 0, < 2.1.1-0.20170519163204-f913f5f9c7c6+incompatible
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
參考連結(11)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2017-17831
- PATCHhttps://github.com/git-lfs/git-lfs
- WEBhttp://blog.recurity-labs.com/2017-08-10/scm-vulns
- WEBhttps://confluence.atlassian.com/sourcetreekb/sourcetree-security-advisory-2018-01-24-942834324.html
- WEBhttps://github.com/git-lfs/git-lfs/commit/f913f5f9c7c6d1301785fdf9884a2942d59cdf19
- WEBhttps://github.com/git-lfs/git-lfs/pull/2241
- WEBhttps://github.com/git-lfs/git-lfs/pull/2242
- WEBhttps://github.com/git-lfs/git-lfs/releases/tag/v2.1.1
- WEBhttps://pkg.go.dev/vuln/GO-2021-0073
- WEBhttps://web.archive.org/web/20200227131639/http://www.securityfocus.com/bid/102926
- WEBhttp://www.securityfocus.com/bid/102926