CVE-2017-17831

Name of the Vulnerable Software and Affected Versions Git LFS versions prior to 2.1.1

Description The issue allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, located on a url = line in a .lfsconfig file within a repository. This can be triggered by cloning a malicious repository, leading to arbitrary command execution due to improperly sanitized SSH URLs in LFS configuration files.

Recommendations For Git LFS versions prior to 2.1.1, update to version 2.1.1 or later to resolve the issue. As a temporary workaround, consider restricting access to repositories that may contain malicious .lfsconfig files to minimize the risk of exploitation. Avoid using ssh URLs with an initial dash character in the hostname until the issue is resolved.