High severity8.8NVD Advisory· Published Dec 21, 2017· Updated Jun 17, 2026
CVE-2017-17831
CVE-2017-17831
Description
GitHub Git LFS before 2.1.1 allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, located on a "url =" line in a .lfsconfig file within a repository.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/git-lfs/git-lfsGo | < 2.1.1-0.20170519163204-f913f5f9c7c6 | 2.1.1-0.20170519163204-f913f5f9c7c6 |
Affected products
2- cpe:2.3:a:git_large_file_storage_project:git_large_file_storage:*:*:*:*:*:*:*:*Range: <2.1.1
Patches
Vulnerability mechanics
References
11- github.com/git-lfs/git-lfs/pull/2242nvdPatchThird Party AdvisoryWEB
- blog.recurity-labs.com/2017-08-10/scm-vulnsnvdExploitThird Party AdvisoryWEB
- www.securityfocus.com/bid/102926nvdThird Party AdvisoryVDB EntryWEB
- confluence.atlassian.com/sourcetreekb/sourcetree-security-advisory-2018-01-24-942834324.htmlnvdThird Party AdvisoryWEB
- github.com/advisories/GHSA-w4xh-w33p-4v29ghsaADVISORY
- github.com/git-lfs/git-lfs/releases/tag/v2.1.1nvdRelease NotesThird Party AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2017-17831ghsaADVISORY
- github.com/git-lfs/git-lfs/commit/f913f5f9c7c6d1301785fdf9884a2942d59cdf19ghsaWEB
- github.com/git-lfs/git-lfs/pull/2241ghsaWEB
- pkg.go.dev/vuln/GO-2021-0073ghsaWEB
- web.archive.org/web/20200227131639/http://www.securityfocus.com/bid/102926ghsaWEB
News mentions
0No linked articles in our index yet.