Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS13NHhoLXczM3AtNHYyOc4AATSj
GitHub Git LFS Improper Input Validation vulnerability
GitHub Git LFS before 2.1.1 allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, located on a url = line in a .lfsconfig file within a repository.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13NHhoLXczM3AtNHYyOc4AATSj
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 1 year ago
Updated: 7 months ago
CVSS Score: 8.8
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Identifiers: GHSA-w4xh-w33p-4v29, CVE-2017-17831
References:
- https://nvd.nist.gov/vuln/detail/CVE-2017-17831
- https://github.com/git-lfs/git-lfs/pull/2242
- https://confluence.atlassian.com/sourcetreekb/sourcetree-security-advisory-2018-01-24-942834324.html
- https://github.com/git-lfs/git-lfs/releases/tag/v2.1.1
- http://blog.recurity-labs.com/2017-08-10/scm-vulns
- https://github.com/git-lfs/git-lfs/pull/2241
- https://github.com/git-lfs/git-lfs/commit/f913f5f9c7c6d1301785fdf9884a2942d59cdf19
- https://pkg.go.dev/vuln/GO-2021-0073
- https://web.archive.org/web/20200227131639/http://www.securityfocus.com/bid/102926
- http://www.securityfocus.com/bid/102926
- https://github.com/advisories/GHSA-w4xh-w33p-4v29
Affected Packages
go:github.com/git-lfs/git-lfs
Versions: < 2.1.1-0.20170519163204-f913f5f9c7c6Fixed in: 2.1.1-0.20170519163204-f913f5f9c7c6
go:github.com/git-lfs/git-lfs/lfsapi
Versions: < 2.1.1-0.20170519163204-f913f5f9c7c6Fixed in: 2.1.1-0.20170519163204-f913f5f9c7c6