Lucene search

[email protected]CVE-2017-8386

HistoryJun 01, 2017 - 4:29 p.m.

CVE-2017-8386

2017-06-0116:29:00

[email protected]

web.nvd.nist.gov

162

cve

2017-8386

git

git-shell

remote authenticated users

privileges

nvd

6.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.3 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

60.8%

JSON

git-shell in git before 2.4.12, 2.5.x before 2.5.6, 2.6.x before 2.6.7, 2.7.x before 2.7.5, 2.8.x before 2.8.5, 2.9.x before 2.9.4, 2.10.x before 2.10.3, 2.11.x before 2.11.2, and 2.12.x before 2.12.3 might allow remote authenticated users to gain privileges via a repository name that starts with a - (dash) character.

Affected configurations

NVD

Node

gitgit-shellMatch-

Node

opensuseleapMatch42.1

Node

debiandebian_linuxMatch8.0

Node

canonicalubuntu_linuxMatch14.04lts

canonicalubuntu_linuxMatch16.04lts

canonicalubuntu_linuxMatch16.10

canonicalubuntu_linuxMatch17.04

Node

fedoraprojectfedoraMatch24

fedoraprojectfedoraMatch25

fedoraprojectfedoraMatch26

CPENameOperatorVersion
git:git-shellgit git-shelleq-

CPE	Name	Operator	Version
git:git-shell	git git-shell	eq	-

References

lists.opensuse.org/opensuse-updates/2017-05/msg00090.html

public-inbox.org/git/xmqq8tm5ziat.fsf%40gitster.mtv.corp.google.com/

www.debian.org/security/2017/dsa-3848

www.securityfocus.com/bid/98409

www.securitytracker.com/id/1038479

www.ubuntu.com/usn/USN-3287-1

access.redhat.com/errata/RHSA-2017:2004

access.redhat.com/errata/RHSA-2017:2491

insinuator.net/2017/05/git-shell-bypass-by-abusing-less-cve-2017-8386/

kernel.googlesource.com/pub/scm/git/git/+/3ec804490a265f4c418a321428c12f3f18b7eff5

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3ISHYFLM2ACYHHY3JHCLF75X7UF4ZMDM/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DPYRN7APMHY4ZFDPAKD22J5R4QJFY2JP/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FDS3LSJJ3YGGQYIVPKQDVOCXWDSF6JGF/

security.gentoo.org/glsa/201706-04

6.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.3 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

60.8%

JSON

CVE-2017-8386

Affected configurations

References

Related