git-shell in git before 2.4.12, 2.5.x before 2.5.6, 2.6.x before 2.6.7, 2.7.x before 2.7.5, 2.8.x before 2.8.5, 2.9.x before 2.9.4, 2.10.x before 2.10.3, 2.11.x before 2.11.2, and 2.12.x before 2.12.3 might allow remote authenticated users to gain privileges via a repository name that starts with a - (dash) character.
CPE | Name | Operator | Version |
---|---|---|---|
ubuntu_linux | eq | 16.10 | |
ubuntu_linux | eq | 16.04 | |
ubuntu_linux | eq | 14.04 | |
ubuntu_linux | eq | 17.04 | |
debian_linux | eq | 8.0 | |
fedora | eq | 26 | |
fedora | eq | 25 | |
fedora | eq | 24 | |
leap | eq | 42.1 |
lists.opensuse.org/opensuse-updates/2017-05/msg00090.html
public-inbox.org/git/[email protected]/
www.debian.org/security/2017/dsa-3848
www.securityfocus.com/bid/98409
www.securitytracker.com/id/1038479
www.ubuntu.com/usn/USN-3287-1
access.redhat.com/errata/RHSA-2017:2004
access.redhat.com/errata/RHSA-2017:2491
insinuator.net/2017/05/git-shell-bypass-by-abusing-less-cve-2017-8386/
kernel.googlesource.com/pub/scm/git/git/+/3ec804490a265f4c418a321428c12f3f18b7eff5
lists.fedoraproject.org/archives/list/[email protected]/message/3ISHYFLM2ACYHHY3JHCLF75X7UF4ZMDM/
lists.fedoraproject.org/archives/list/[email protected]/message/DPYRN7APMHY4ZFDPAKD22J5R4QJFY2JP/
lists.fedoraproject.org/archives/list/[email protected]/message/FDS3LSJJ3YGGQYIVPKQDVOCXWDSF6JGF/
security.gentoo.org/glsa/201706-04