GHSA-w4xh-w33p-4v29

Source

https://github.com/advisories/GHSA-w4xh-w33p-4v29

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-w4xh-w33p-4v29/GHSA-w4xh-w33p-4v29.json

Aliases

CVE-2017-17831
GO-2021-0073

Published

2022-05-14T00:55:16Z

Modified

2023-11-08T03:59:14.768996Z

Details

GitHub Git LFS before 2.1.1 allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, located on a url = line in a .lfsconfig file within a repository.

Specific Go Packages Affected

github.com/git-lfs/git-lfs/lfsapi

References

https://nvd.nist.gov/vuln/detail/CVE-2017-17831
https://github.com/git-lfs/git-lfs/pull/2241
https://github.com/git-lfs/git-lfs/pull/2242
https://github.com/git-lfs/git-lfs/commit/f913f5f9c7c6d1301785fdf9884a2942d59cdf19
https://confluence.atlassian.com/sourcetreekb/sourcetree-security-advisory-2018-01-24-942834324.html
https://github.com/git-lfs/git-lfs
https://github.com/git-lfs/git-lfs/releases/tag/v2.1.1
https://pkg.go.dev/vuln/GO-2021-0073
https://web.archive.org/web/20200227131639/http://www.securityfocus.com/bid/102926
http://blog.recurity-labs.com/2017-08-10/scm-vulns
http://www.securityfocus.com/bid/102926

Affected packages

Go / github.com/git-lfs/git-lfs

Package

Name: github.com/git-lfs/git-lfs

Affected ranges

Type: SEMVER
Events: Introduced

0The exact introduced commit is unknown

Fixed

2.1.1-0.20170519163204-f913f5f9c7c6