Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS13NHhoLXczM3AtNHYyOc4AATSj

GitHub Git LFS Arbitrary command execution vulnerability

GitHub Git LFS before 2.1.1 allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, located on a url = line in a .lfsconfig file within a repository.

Specific Go Packages Affected

github.com/git-lfs/git-lfs/lfsapi

Permalink: https://github.com/advisories/GHSA-w4xh-w33p-4v29
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13NHhoLXczM3AtNHYyOc4AATSj
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: over 1 year ago

CVSS Score: 8.8
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Percentage: 0.00562
EPSS Percentile: 0.77539

Identifiers: GHSA-w4xh-w33p-4v29, CVE-2017-17831
References:

Repository: https://github.com/git-lfs/git-lfs
Blast Radius: 12.5

Affected Packages

go:github.com/git-lfs/git-lfs

Dependent packages: 5
Dependent repositories: 26
Downloads:
Affected Version Ranges: < 2.1.1-0.20170519163204-f913f5f9c7c6
Fixed in: 2.1.1-0.20170519163204-f913f5f9c7c6
All affected versions: 0.1.0, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.3.5, 0.3.6, 0.4.0, 0.4.1, 0.4.2, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.5.4, 0.6.0, 1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.1.1, 1.1.2, 1.2.0, 1.2.1, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 2.0.0, 2.0.1, 2.0.2, 2.1.0
All unaffected versions: 2.1.1, 2.2.0, 2.2.1, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.4.0, 2.4.1, 2.4.2, 2.5.0, 2.5.1, 2.5.2