High severity8.8NVD Advisory· Published Jun 1, 2017· Updated May 13, 2026

CVE-2017-8386

Description

git-shell in git before 2.4.12, 2.5.x before 2.5.6, 2.6.x before 2.6.7, 2.7.x before 2.7.5, 2.8.x before 2.8.5, 2.9.x before 2.9.4, 2.10.x before 2.10.3, 2.11.x before 2.11.2, and 2.12.x before 2.12.3 might allow remote authenticated users to gain privileges via a repository name that starts with a - (dash) character.

Affected products

Git/Git Shell
cpe:2.3:a:git:git-shell:-:*:*:*:*:*:*:*
Canonical (company)/Ubuntu Linux4 versions
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*+ 3 more
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:16.10:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:17.04:*:*:*:*:*:*:*
Debian/Debian Linux
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
Fedoraproject/Fedora3 versions
cpe:2.3:o:fedoraproject:fedora:24:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:o:fedoraproject:fedora:24:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:25:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:26:*:*:*:*:*:*:*
OpenSUSE/Leap
cpe:2.3:o:opensuse:leap:42.1:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.ubuntu.com/usn/USN-3287-1nvdExploitThird Party Advisory
lists.opensuse.org/opensuse-updates/2017-05/msg00090.htmlnvdMailing ListThird Party Advisory
www.debian.org/security/2017/dsa-3848nvdThird Party AdvisoryVDB Entry
www.securityfocus.com/bid/98409nvdThird Party AdvisoryVDB Entry
www.securitytracker.com/id/1038479nvdThird Party Advisory
insinuator.net/2017/05/git-shell-bypass-by-abusing-less-cve-2017-8386/nvdMitigationThird Party Advisory
kernel.googlesource.com/pub/scm/git/git/+/3ec804490a265f4c418a321428c12f3f18b7eff5nvdThird Party Advisory
public-inbox.org/git/xmqq8tm5ziat.fsf%40gitster.mtv.corp.google.com/nvd
access.redhat.com/errata/RHSA-2017:2004nvd
access.redhat.com/errata/RHSA-2017:2491nvd
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3ISHYFLM2ACYHHY3JHCLF75X7UF4ZMDM/nvd
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DPYRN7APMHY4ZFDPAKD22J5R4QJFY2JP/nvd
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FDS3LSJJ3YGGQYIVPKQDVOCXWDSF6JGF/nvd
security.gentoo.org/glsa/201706-04nvd

News mentions

No linked articles in our index yet.

cvss	0.572
epss	0.059
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000