CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 2CVE-2017-15298 – Ubuntu Security Notice USN-3829-1
https://notcve.org/view.php?id=CVE-2017-15298
14 Oct 2017 — Git through 2.14.2 mishandles layers of tree objects, which allows remote attackers to cause a denial of service (memory consumption) via a crafted repository, aka a Git bomb. This can also have an impact of disk consumption; however, an affected process typically would not survive its attempt to build the data structure in memory before writing to disk. Git, en versiones hasta la 2.14.2 gestiona de manera incorrecta capas de objetos tipo árbol, lo que permite que atacantes remotos provoquen una denegación ... • http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.html • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.5EPSS: 0%CPEs: 124EXPL: 0CVE-2017-1000092
https://notcve.org/view.php?id=CVE-2017-1000092
04 Oct 2017 — Git Plugin connects to a user-specified Git repository as part of form validation. An attacker with no direct access to Jenkins but able to guess at a username/password credentials ID could trick a developer with job configuration permissions into following a link with a maliciously crafted Jenkins URL which would result in the Jenkins Git client sending the username and password to an attacker-controlled server. El plugin Git se conecta a un repositorio de Git especificado por el usuario como parte de la v... • http://www.securityfocus.com/bid/100435 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.0EPSS: 6%CPEs: 20EXPL: 0CVE-2017-14867 – Ubuntu Security Notice USN-3438-1
https://notcve.org/view.php?id=CVE-2017-14867
28 Sep 2017 — Git before 2.10.5, 2.11.x before 2.11.4, 2.12.x before 2.12.5, 2.13.x before 2.13.6, and 2.14.x before 2.14.2 uses unsafe Perl scripts to support subcommands such as cvsserver, which allows attackers to execute arbitrary OS commands via shell metacharacters in a module name. The vulnerable code is reachable via git-shell even without CVS support. Git en versiones anteriores a la 2.10.5, las versiones 2.11.x anteriores a 2.11.4, las 2.12.x anteriores a2.12.5, las 2.13.x anteriores a 2.13.6 y las 2.14.x anter... • http://www.openwall.com/lists/oss-security/2017/09/26/9 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.8EPSS: 72%CPEs: 51EXPL: 24CVE-2017-1000117 – Git < 2.7.5 - Command Injection
https://notcve.org/view.php?id=CVE-2017-1000117
10 Aug 2017 — A malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL can result in any program that exists on the victim's machine being executed. Such a URL could be placed in the .gitmodules file of a malicious project, and an unsuspecting victim could be tricked into running "git clone --recurse-submodules" to trigger the vulnerability. Un tercero malicioso puede proporcionar una URL "ssh://..." manipulada a una víctima desprevenida y un intento de visita ... • https://packetstorm.news/files/id/143965 • CWE-20: Improper Input Validation CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •