CVE-2017-1000117
Malicious Git HTTP Server For CVE-2017-1000117
Severity Score
8.8
*CVSS v3
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
21
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
A malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL can result in any program that exists on the victim's machine being executed. Such a URL could be placed in the .gitmodules file of a malicious project, and an unsuspecting victim could be tricked into running "git clone --recurse-submodules" to trigger the vulnerability.
Un tercero malicioso puede proporcionar una URL "ssh://..." manipulada a una víctima desprevenida y un intento de visita a la URL puede resultar en que se ejecute cualquier programa que exista en la máquina de la víctima. Dicha URL podría colocarse en el archivo .gitmodules de un proyecto malicioso y una víctima desprevenida podría ser engañada para que ejecute "git clone --recurse-submodules" para desencadenar esta vulnerabilidad.
A shell command injection flaw related to the handling of "ssh" URLs has been discovered in Git. An attacker could use this flaw to execute shell commands with the privileges of the user running the Git client, for example, when performing a "clone" action on a malicious repository or a legitimate repository containing a malicious commit.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2017-08-10 CVE Published
- 2017-08-10 First Exploit
- 2017-10-03 CVE Reserved
- 2024-01-07 EPSS Updated
- 2024-08-05 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-20: Improper Input Validation
- CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
CAPEC
References (34)
| URL | Tag | Source |
|---|---|---|
| http://www.securityfocus.com/bid/100283 | Third Party Advisory | |
| http://www.securitytracker.com/id/1039131 | Third Party Advisory | |
| https://support.apple.com/HT208103 | Third Party Advisory |
|
| https://www.mail-archive.com/linux-kernel%40vger.kernel.org/msg1466490.html | X_refsource_misc |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://www.debian.org/security/2017/dsa-3934 | 2023-11-07 | |
| https://access.redhat.com/errata/RHSA-2017:2484 | 2023-11-07 | |
| https://access.redhat.com/errata/RHSA-2017:2485 | 2023-11-07 | |
| https://access.redhat.com/errata/RHSA-2017:2491 | 2023-11-07 | |
| https://access.redhat.com/errata/RHSA-2017:2674 | 2023-11-07 | |
| https://access.redhat.com/errata/RHSA-2017:2675 | 2023-11-07 | |
| https://security.gentoo.org/glsa/201709-10 | 2023-11-07 | |
| https://access.redhat.com/security/cve/CVE-2017-1000117 | 2017-09-18 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1480386 | 2017-09-18 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Git-scm Search vendor "Git-scm" | Git Search vendor "Git-scm" for product "Git" | <= 2.7.5 Search vendor "Git-scm" for product "Git" and version " <= 2.7.5" | - |
Affected
| ||||||
| Git-scm Search vendor "Git-scm" | Git Search vendor "Git-scm" for product "Git" | 2.8.0 Search vendor "Git-scm" for product "Git" and version "2.8.0" | - |
Affected
| ||||||
| Git-scm Search vendor "Git-scm" | Git Search vendor "Git-scm" for product "Git" | 2.8.0 Search vendor "Git-scm" for product "Git" and version "2.8.0" | rc0 |
Affected
| ||||||
| Git-scm Search vendor "Git-scm" | Git Search vendor "Git-scm" for product "Git" | 2.8.0 Search vendor "Git-scm" for product "Git" and version "2.8.0" | rc1 |
Affected
| ||||||
| Git-scm Search vendor "Git-scm" | Git Search vendor "Git-scm" for product "Git" | 2.8.0 Search vendor "Git-scm" for product "Git" and version "2.8.0" | rc2 |
Affected
| ||||||
| Git-scm Search vendor "Git-scm" | Git Search vendor "Git-scm" for product "Git" | 2.8.0 Search vendor "Git-scm" for product "Git" and version "2.8.0" | rc3 |
Affected
| ||||||
| Git-scm Search vendor "Git-scm" | Git Search vendor "Git-scm" for product "Git" | 2.8.1 Search vendor "Git-scm" for product "Git" and version "2.8.1" | - |
Affected
| ||||||
| Git-scm Search vendor "Git-scm" | Git Search vendor "Git-scm" for product "Git" | 2.8.2 Search vendor "Git-scm" for product "Git" and version "2.8.2" | - |
Affected
| ||||||
| Git-scm Search vendor "Git-scm" | Git Search vendor "Git-scm" for product "Git" | 2.8.3 Search vendor "Git-scm" for product "Git" and version "2.8.3" | - |
Affected
| ||||||
| Git-scm Search vendor "Git-scm" | Git Search vendor "Git-scm" for product "Git" | 2.8.4 Search vendor "Git-scm" for product "Git" and version "2.8.4" | - |
Affected
| ||||||
| Git-scm Search vendor "Git-scm" | Git Search vendor "Git-scm" for product "Git" | 2.8.5 Search vendor "Git-scm" for product "Git" and version "2.8.5" | - |
Affected
| ||||||
| Git-scm Search vendor "Git-scm" | Git Search vendor "Git-scm" for product "Git" | 2.9.0 Search vendor "Git-scm" for product "Git" and version "2.9.0" | - |
Affected
| ||||||
| Git-scm Search vendor "Git-scm" | Git Search vendor "Git-scm" for product "Git" | 2.9.0 Search vendor "Git-scm" for product "Git" and version "2.9.0" | rc0 |
Affected
| ||||||
| Git-scm Search vendor "Git-scm" | Git Search vendor "Git-scm" for product "Git" | 2.9.0 Search vendor "Git-scm" for product "Git" and version "2.9.0" | rc1 |
Affected
| ||||||
| Git-scm Search vendor "Git-scm" | Git Search vendor "Git-scm" for product "Git" | 2.9.0 Search vendor "Git-scm" for product "Git" and version "2.9.0" | rc2 |
Affected
| ||||||
| Git-scm Search vendor "Git-scm" | Git Search vendor "Git-scm" for product "Git" | 2.9.1 Search vendor "Git-scm" for product "Git" and version "2.9.1" | - |
Affected
| ||||||
| Git-scm Search vendor "Git-scm" | Git Search vendor "Git-scm" for product "Git" | 2.9.2 Search vendor "Git-scm" for product "Git" and version "2.9.2" | - |
Affected
| ||||||
| Git-scm Search vendor "Git-scm" | Git Search vendor "Git-scm" for product "Git" | 2.9.3 Search vendor "Git-scm" for product "Git" and version "2.9.3" | - |
Affected
| ||||||
| Git-scm Search vendor "Git-scm" | Git Search vendor "Git-scm" for product "Git" | 2.9.4 Search vendor "Git-scm" for product "Git" and version "2.9.4" | - |
Affected
| ||||||
| Git-scm Search vendor "Git-scm" | Git Search vendor "Git-scm" for product "Git" | 2.10.0 Search vendor "Git-scm" for product "Git" and version "2.10.0" | - |
Affected
| ||||||
| Git-scm Search vendor "Git-scm" | Git Search vendor "Git-scm" for product "Git" | 2.10.0 Search vendor "Git-scm" for product "Git" and version "2.10.0" | rc0 |
Affected
| ||||||
| Git-scm Search vendor "Git-scm" | Git Search vendor "Git-scm" for product "Git" | 2.10.0 Search vendor "Git-scm" for product "Git" and version "2.10.0" | rc1 |
Affected
| ||||||
| Git-scm Search vendor "Git-scm" | Git Search vendor "Git-scm" for product "Git" | 2.10.0 Search vendor "Git-scm" for product "Git" and version "2.10.0" | rc2 |
Affected
| ||||||
| Git-scm Search vendor "Git-scm" | Git Search vendor "Git-scm" for product "Git" | 2.10.1 Search vendor "Git-scm" for product "Git" and version "2.10.1" | - |
Affected
| ||||||
| Git-scm Search vendor "Git-scm" | Git Search vendor "Git-scm" for product "Git" | 2.10.2 Search vendor "Git-scm" for product "Git" and version "2.10.2" | - |
Affected
| ||||||
| Git-scm Search vendor "Git-scm" | Git Search vendor "Git-scm" for product "Git" | 2.10.3 Search vendor "Git-scm" for product "Git" and version "2.10.3" | - |
Affected
| ||||||
| Git-scm Search vendor "Git-scm" | Git Search vendor "Git-scm" for product "Git" | 2.11.0 Search vendor "Git-scm" for product "Git" and version "2.11.0" | - |
Affected
| ||||||
| Git-scm Search vendor "Git-scm" | Git Search vendor "Git-scm" for product "Git" | 2.11.0 Search vendor "Git-scm" for product "Git" and version "2.11.0" | rc0 |
Affected
| ||||||
| Git-scm Search vendor "Git-scm" | Git Search vendor "Git-scm" for product "Git" | 2.11.0 Search vendor "Git-scm" for product "Git" and version "2.11.0" | rc1 |
Affected
| ||||||
| Git-scm Search vendor "Git-scm" | Git Search vendor "Git-scm" for product "Git" | 2.11.0 Search vendor "Git-scm" for product "Git" and version "2.11.0" | rc2 |
Affected
| ||||||
| Git-scm Search vendor "Git-scm" | Git Search vendor "Git-scm" for product "Git" | 2.11.0 Search vendor "Git-scm" for product "Git" and version "2.11.0" | rc3 |
Affected
| ||||||
| Git-scm Search vendor "Git-scm" | Git Search vendor "Git-scm" for product "Git" | 2.11.1 Search vendor "Git-scm" for product "Git" and version "2.11.1" | - |
Affected
| ||||||
| Git-scm Search vendor "Git-scm" | Git Search vendor "Git-scm" for product "Git" | 2.11.2 Search vendor "Git-scm" for product "Git" and version "2.11.2" | - |
Affected
| ||||||
| Git-scm Search vendor "Git-scm" | Git Search vendor "Git-scm" for product "Git" | 2.12.0 Search vendor "Git-scm" for product "Git" and version "2.12.0" | - |
Affected
| ||||||
| Git-scm Search vendor "Git-scm" | Git Search vendor "Git-scm" for product "Git" | 2.12.0 Search vendor "Git-scm" for product "Git" and version "2.12.0" | rc0 |
Affected
| ||||||
| Git-scm Search vendor "Git-scm" | Git Search vendor "Git-scm" for product "Git" | 2.12.0 Search vendor "Git-scm" for product "Git" and version "2.12.0" | rc1 |
Affected
| ||||||
| Git-scm Search vendor "Git-scm" | Git Search vendor "Git-scm" for product "Git" | 2.12.0 Search vendor "Git-scm" for product "Git" and version "2.12.0" | rc2 |
Affected
| ||||||
| Git-scm Search vendor "Git-scm" | Git Search vendor "Git-scm" for product "Git" | 2.12.1 Search vendor "Git-scm" for product "Git" and version "2.12.1" | - |
Affected
| ||||||
| Git-scm Search vendor "Git-scm" | Git Search vendor "Git-scm" for product "Git" | 2.12.2 Search vendor "Git-scm" for product "Git" and version "2.12.2" | - |
Affected
| ||||||
| Git-scm Search vendor "Git-scm" | Git Search vendor "Git-scm" for product "Git" | 2.12.3 Search vendor "Git-scm" for product "Git" and version "2.12.3" | - |
Affected
| ||||||
| Git-scm Search vendor "Git-scm" | Git Search vendor "Git-scm" for product "Git" | 2.13.0 Search vendor "Git-scm" for product "Git" and version "2.13.0" | - |
Affected
| ||||||
| Git-scm Search vendor "Git-scm" | Git Search vendor "Git-scm" for product "Git" | 2.13.0 Search vendor "Git-scm" for product "Git" and version "2.13.0" | rc0 |
Affected
| ||||||
| Git-scm Search vendor "Git-scm" | Git Search vendor "Git-scm" for product "Git" | 2.13.0 Search vendor "Git-scm" for product "Git" and version "2.13.0" | rc1 |
Affected
| ||||||
| Git-scm Search vendor "Git-scm" | Git Search vendor "Git-scm" for product "Git" | 2.13.0 Search vendor "Git-scm" for product "Git" and version "2.13.0" | rc2 |
Affected
| ||||||
| Git-scm Search vendor "Git-scm" | Git Search vendor "Git-scm" for product "Git" | 2.13.1 Search vendor "Git-scm" for product "Git" and version "2.13.1" | - |
Affected
| ||||||
| Git-scm Search vendor "Git-scm" | Git Search vendor "Git-scm" for product "Git" | 2.13.2 Search vendor "Git-scm" for product "Git" and version "2.13.2" | - |
Affected
| ||||||
| Git-scm Search vendor "Git-scm" | Git Search vendor "Git-scm" for product "Git" | 2.13.3 Search vendor "Git-scm" for product "Git" and version "2.13.3" | - |
Affected
| ||||||
| Git-scm Search vendor "Git-scm" | Git Search vendor "Git-scm" for product "Git" | 2.13.4 Search vendor "Git-scm" for product "Git" and version "2.13.4" | - |
Affected
| ||||||
| Git-scm Search vendor "Git-scm" | Git Search vendor "Git-scm" for product "Git" | 2.14.0 Search vendor "Git-scm" for product "Git" and version "2.14.0" | - |
Affected
| ||||||
| Git-scm Search vendor "Git-scm" | Git Search vendor "Git-scm" for product "Git" | 2.14.0 Search vendor "Git-scm" for product "Git" and version "2.14.0" | rc0 |
Affected
| ||||||
| Git-scm Search vendor "Git-scm" | Git Search vendor "Git-scm" for product "Git" | 2.14.0 Search vendor "Git-scm" for product "Git" and version "2.14.0" | rc1 |
Affected
| ||||||