CVE-2017-14867

high-risk

Published 2017-09-29

Git before 2.10.5, 2.11.x before 2.11.4, 2.12.x before 2.12.5, 2.13.x before 2.13.6, and 2.14.x before 2.14.2 uses unsafe Perl scripts to support subcommands such as cvsserver, which allows attackers to execute arbitrary OS commands via shell metacharacters in a module name. The vulnerable code is reachable via git-shell even without CVS support.

Do I need to act?

7.0% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 8.8/10 High

NETWORK / LOW complexity

Affected Products (20)

Git

Debian Linux

Git

Affected Vendors

Debian Git-Scm

References (14)

Mailing List http://www.openwall.com/lists/oss-security/2017/09/26/9

Third Party Advisory http://www.securityfocus.com/bid/101060

Third Party Advisory http://www.securitytracker.com/id/1039431

Issue Tracking https://bugs.debian.org/876854

Mailing List https://lists.debian.org/debian-security-announce/2017/msg00246.html

https://public-inbox.org/git/xmqqy3p29ekj.fsf%40gitster.mtv.corp.google.com/T/#u

Third Party Advisory https://www.debian.org/security/2017/dsa-3984

Mailing List http://www.openwall.com/lists/oss-security/2017/09/26/9

Third Party Advisory http://www.securityfocus.com/bid/101060

Third Party Advisory http://www.securitytracker.com/id/1039431

Issue Tracking https://bugs.debian.org/876854

Mailing List https://lists.debian.org/debian-security-announce/2017/msg00246.html

https://public-inbox.org/git/xmqqy3p29ekj.fsf%40gitster.mtv.corp.google.com/T/#u

Third Party Advisory https://www.debian.org/security/2017/dsa-3984

/ 100

high-risk

Severity 30/34 · Critical

Exploitability 9/34 · Low

Exposure 20/34 · Moderate