DEBIAN-CVE-2017-14867

See a problem?
Please try reporting it to the source first.
Source
https://security-tracker.debian.org/tracker/CVE-2017-14867
Import Source
https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2017-14867.json
JSON Data
https://api.osv.dev/v1/vulns/DEBIAN-CVE-2017-14867
Upstream
Published
2017-09-29T01:34:50Z
Modified
2025-09-30T03:54:36Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

Git before 2.10.5, 2.11.x before 2.11.4, 2.12.x before 2.12.5, 2.13.x before 2.13.6, and 2.14.x before 2.14.2 uses unsafe Perl scripts to support subcommands such as cvsserver, which allows attackers to execute arbitrary OS commands via shell metacharacters in a module name. The vulnerable code is reachable via git-shell even without CVS support.

References

Affected packages

Debian:11 / git

Package

Name
git
Purl
pkg:deb/debian/git?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1:2.14.2-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:12 / git

Package

Name
git
Purl
pkg:deb/debian/git?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1:2.14.2-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:13 / git

Package

Name
git
Purl
pkg:deb/debian/git?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1:2.14.2-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:14 / git

Package

Name
git
Purl
pkg:deb/debian/git?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1:2.14.2-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}