GitHub Advisory DatabaseGHSA-4J5J-58J7-6C3WDulwich Arbitrary code execution via commit with directory path starting with .git
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
7.7 High
AI Score
Confidence
Low
0.164 Low
EPSS
Percentile
96.0%
The build_index_from_tree function in index.py in Dulwich before 0.9.9 allows remote attackers to execute arbitrary code via a commit with a directory path starting with .git/, which is not properly handled when checking out a working tree.
Affected configurations
References
lists.fedoraproject.org/pipermail/package-announce/2015-April/154523.html
lists.fedoraproject.org/pipermail/package-announce/2015-April/154551.html
www.debian.org/security/2015/dsa-3206
www.openwall.com/lists/oss-security/2015/03/21/1
www.openwall.com/lists/oss-security/2015/03/22/26
git.samba.org/?p=jelmer/dulwich.git;a=commitdiff;h=091638be3c89f46f42c3b1d57dc1504af5729176
github.com/advisories/GHSA-4j5j-58j7-6c3w
github.com/jelmer/dulwich/commit/091638be3c89f46f42c3b1d57dc1504af5729176
lists.launchpad.net/dulwich-users/msg00827.html
nvd.nist.gov/vuln/detail/CVE-2014-9706
Related
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
7.7 High
AI Score
Confidence
Low
0.164 Low
EPSS
Percentile
96.0%