High severity8.8NVD Advisory· Published Sep 29, 2017· Updated Jun 17, 2026
CVE-2017-14867
CVE-2017-14867
Description
Git before 2.10.5, 2.11.x before 2.11.4, 2.12.x before 2.12.5, 2.13.x before 2.13.6, and 2.14.x before 2.14.2 uses unsafe Perl scripts to support subcommands such as cvsserver, which allows attackers to execute arbitrary OS commands via shell metacharacters in a module name. The vulnerable code is reachable via git-shell even without CVS support.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
35cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*+ 18 more
- cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*range: <=2.10.4
- cpe:2.3:a:git-scm:git:2.11.0:*:*:*:*:*:*:*
- cpe:2.3:a:git-scm:git:2.11.1:*:*:*:*:*:*:*
- cpe:2.3:a:git-scm:git:2.11.2:*:*:*:*:*:*:*
- cpe:2.3:a:git-scm:git:2.11.3:*:*:*:*:*:*:*
- cpe:2.3:a:git-scm:git:2.12.0:*:*:*:*:*:*:*
- cpe:2.3:a:git-scm:git:2.12.1:*:*:*:*:*:*:*
- cpe:2.3:a:git-scm:git:2.12.2:*:*:*:*:*:*:*
- cpe:2.3:a:git-scm:git:2.12.3:*:*:*:*:*:*:*
- cpe:2.3:a:git-scm:git:2.12.4:*:*:*:*:*:*:*
- cpe:2.3:a:git-scm:git:2.13.0:*:*:*:*:*:*:*
- cpe:2.3:a:git-scm:git:2.13.1:*:*:*:*:*:*:*
- cpe:2.3:a:git-scm:git:2.13.2:*:*:*:*:*:*:*
- cpe:2.3:a:git-scm:git:2.13.3:*:*:*:*:*:*:*
- cpe:2.3:a:git-scm:git:2.13.4:*:*:*:*:*:*:*
- cpe:2.3:a:git-scm:git:2.13.5:*:*:*:*:*:*:*
- cpe:2.3:a:git-scm:git:2.14.0:*:*:*:*:*:*:*
- cpe:2.3:a:git-scm:git:2.14.1:*:*:*:*:*:*:*
- (no CPE)range: <2.10.5, <2.11.4, <2.12.5, <2.13.6, <2.14.2
- osv-coords14 versionspkg:rpm/opensuse/git&distro=openSUSE%20Tumbleweedpkg:rpm/suse/git&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP1-LTSSpkg:rpm/suse/git&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2pkg:rpm/suse/git&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3pkg:rpm/suse/git&distro=SUSE%20Linux%20Enterprise%20Server%20for%20Raspberry%20Pi%2012%20SP2pkg:rpm/suse/git&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP1pkg:rpm/suse/git&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2pkg:rpm/suse/git&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/git&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2011%20SP4pkg:rpm/suse/git&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP2pkg:rpm/suse/git&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP3pkg:rpm/suse/git&distro=SUSE%20Linux%20Micro%206.0pkg:rpm/suse/git&distro=SUSE%20OpenStack%20Cloud%206pkg:rpm/suse/git&distro=SUSE%20Studio%20Onsite%201.3
< 2.33.0-1.3+ 13 more
- (no CPE)range: < 2.33.0-1.3
- (no CPE)range: < 2.12.3-27.9.1
- (no CPE)range: < 2.12.3-27.9.1
- (no CPE)range: < 2.12.3-27.9.1
- (no CPE)range: < 2.12.3-27.9.1
- (no CPE)range: < 2.12.3-27.9.1
- (no CPE)range: < 2.12.3-27.9.1
- (no CPE)range: < 2.12.3-27.9.1
- (no CPE)range: < 1.7.12.4-0.18.6.1
- (no CPE)range: < 2.12.3-27.9.1
- (no CPE)range: < 2.12.3-27.9.1
- (no CPE)range: < 2.45.1-1.1
- (no CPE)range: < 2.12.3-27.9.1
- (no CPE)range: < 1.7.12.4-0.18.6.1
Patches
Vulnerability mechanics
References
7- www.openwall.com/lists/oss-security/2017/09/26/9nvdMailing ListThird Party Advisory
- www.securityfocus.com/bid/101060nvdThird Party AdvisoryVDB Entry
- www.securitytracker.com/id/1039431nvdThird Party AdvisoryVDB Entry
- bugs.debian.org/876854nvdIssue TrackingMailing ListThird Party Advisory
- lists.debian.org/debian-security-announce/2017/msg00246.htmlnvdMailing ListThird Party Advisory
- www.debian.org/security/2017/dsa-3984nvdThird Party Advisory
- public-inbox.org/git/xmqqy3p29ekj.fsf%40gitster.mtv.corp.google.com/T/nvd
News mentions
0No linked articles in our index yet.