CVE-2017-14867

Name of the Vulnerable Software and Affected Versions Git versions 2.10.5 and earlier, 2.11.x before 2.11.4, 2.12.x before 2.12.5, 2.13.x before 2.13.6, and 2.14.x before 2.14.2

Description The issue is related to the use of unsafe Perl scripts to support subcommands such as cvsserver, allowing attackers to execute arbitrary OS commands via shell metacharacters in a module name. This can be exploited remotely to execute commands as the git user. The vulnerable code can be reached via git-shell even without CVS support.

Recommendations For Git versions 2.10.5 and earlier, update to version 2.10.5 or later. For Git versions 2.11.x before 2.11.4, update to version 2.11.4 or later. For Git versions 2.12.x before 2.12.5, update to version 2.12.5 or later. For Git versions 2.13.x before 2.13.6, update to version 2.13.6 or later. For Git versions 2.14.x before 2.14.2, update to version 2.14.2 or later. As a temporary workaround, consider disabling the cvsserver subcommand until a patch is available.