Git · Git-Scm · CVE-2017-1000117
**Name of the Vulnerable Software and Affected Versions**
git versions prior to 6.20170818
git-scm git (affected versions not specified)
**Description**
A malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL can result in any program that exists on the victim's machine being executed. This can be done by placing the URL in the .gitmodules file of a malicious project, and an unsuspecting victim could be tricked into running "git clone --recurse-submodules" to trigger the issue. The `git-annex` command is also vulnerable to command injection via malicious SSH hostname. If the hostname parsed from the URL is something like `-eProxyCommand=evil`, this could result in arbitrary local code execution. An attacker could exploit this by tricking the victim into adding a remote something like `ssh://-eProxyCommand=evil/blah` or by using `initremote` with an SSH remote and embedding the URL in the `git-annex` branch.
**Recommendations**
For git versions prior to 6.20170818, update to version 6.20170818 or later to resolve the issue.
For git-scm git, at the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider avoiding the use of `git clone --recurse-submodules` with untrusted projects and restricting the use of `git-annex` with SSH remotes until a patch is available. Avoid using URLs that start with `ssh://` and contain potentially malicious hostnames, such as those starting with `-eProxyCommand=`.