blob: 6c488f42a40a8563d6b9f365a4ae8e7990647da1 [file] [log] [blame]
module: github.com/git-lfs/git-lfs
package: github.com/git-lfs/git-lfs/lfsapi
versions:
- fixed: v2.1.1-0.20170519163204-f913f5f9c7c6+incompatible
description: |
Arbitary command execution can be triggered by improperly
sanitized SSH URLs in LFS configuration files. This can be
triggered by cloning a malicious repoistory.
published: 2021-04-14T12:00:00Z
cve: CVE-2017-17831
symbols:
- sshGetLFSExeAndArgs
links:
pr: https://github.com/git-lfs/git-lfs/pull/2241
commit: https://github.com/git-lfs/git-lfs/commit/f913f5f9c7c6d1301785fdf9884a2942d59cdf19
context:
- http://blog.recurity-labs.com/2017-08-10/scm-vulns
- https://confluence.atlassian.com/sourcetreekb/sourcetree-security-advisory-2018-01-24-942834324.html
- http://www.securityfocus.com/bid/102926