CVE-2017-12976

Name of the Vulnerable Software and Affected Versions git-annex versions prior to 6.20170818

Description The issue allows for command injection via malicious SSH hostname. An attacker could trick a victim into adding a remote repository with a specially crafted URL, such as ssh://-eProxyCommand=evil/blah, potentially leading to arbitrary local code execution. The attacker could also embed the malicious URL in the git-annex branch using initremote and have the victim enable it with enableremote.

Recommendations For versions prior to 6.20170818, update to version 6.20170818 or later to resolve the issue. As a temporary workaround, consider avoiding the use of initremote with SSH remotes and restricting the addition of new remote repositories to trusted sources.