| module: github.com/git-lfs/git-lfs |
| package: github.com/git-lfs/git-lfs/lfsapi |
| versions: |
| - fixed: v2.1.1-0.20170519163204-f913f5f9c7c6+incompatible |
| description: | |
| Arbitary command execution can be triggered by improperly |
| sanitized SSH URLs in LFS configuration files. This can be |
| triggered by cloning a malicious repoistory. |
| published: 2021-04-14T12:00:00Z |
| cve: CVE-2017-17831 |
| symbols: |
| - sshGetLFSExeAndArgs |
| links: |
| pr: https://github.com/git-lfs/git-lfs/pull/2241 |
| commit: https://github.com/git-lfs/git-lfs/commit/f913f5f9c7c6d1301785fdf9884a2942d59cdf19 |
| context: |
| - http://blog.recurity-labs.com/2017-08-10/scm-vulns |
| - https://confluence.atlassian.com/sourcetreekb/sourcetree-security-advisory-2018-01-24-942834324.html |
| - http://www.securityfocus.com/bid/102926 |