VYPR
Get started
← All advisories
High severity8.8NVD Advisory· Published Sep 29, 2017· Updated May 13, 2026

CVE-2017-14867

CVE-2017-14867

Description

Git before 2.10.5, 2.11.x before 2.11.4, 2.12.x before 2.12.5, 2.13.x before 2.13.6, and 2.14.x before 2.14.2 uses unsafe Perl scripts to support subcommands such as cvsserver, which allows attackers to execute arbitrary OS commands via shell metacharacters in a module name. The vulnerable code is reachable via git-shell even without CVS support.

Affected products

20
  • Git/Git18 versions
    cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*+ 17 more
    • cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*range: <=2.10.4
    • cpe:2.3:a:git-scm:git:2.11.0:*:*:*:*:*:*:*
    • cpe:2.3:a:git-scm:git:2.11.1:*:*:*:*:*:*:*
    • cpe:2.3:a:git-scm:git:2.11.2:*:*:*:*:*:*:*
    • cpe:2.3:a:git-scm:git:2.11.3:*:*:*:*:*:*:*
    • cpe:2.3:a:git-scm:git:2.12.0:*:*:*:*:*:*:*
    • cpe:2.3:a:git-scm:git:2.12.1:*:*:*:*:*:*:*
    • cpe:2.3:a:git-scm:git:2.12.2:*:*:*:*:*:*:*
    • cpe:2.3:a:git-scm:git:2.12.3:*:*:*:*:*:*:*
    • cpe:2.3:a:git-scm:git:2.12.4:*:*:*:*:*:*:*
    • cpe:2.3:a:git-scm:git:2.13.0:*:*:*:*:*:*:*
    • cpe:2.3:a:git-scm:git:2.13.1:*:*:*:*:*:*:*
    • cpe:2.3:a:git-scm:git:2.13.2:*:*:*:*:*:*:*
    • cpe:2.3:a:git-scm:git:2.13.3:*:*:*:*:*:*:*
    • cpe:2.3:a:git-scm:git:2.13.4:*:*:*:*:*:*:*
    • cpe:2.3:a:git-scm:git:2.13.5:*:*:*:*:*:*:*
    • cpe:2.3:a:git-scm:git:2.14.0:*:*:*:*:*:*:*
    • cpe:2.3:a:git-scm:git:2.14.1:*:*:*:*:*:*:*
  • Debian/Debian Linux2 versions
    cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
    • cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

7

News mentions

0

No linked articles in our index yet.