data/reports/GO-2021-0073.yaml - vulndb - Git at Google

 modules:
   - module: github.com/git-lfs/git-lfs
     versions:
       - fixed: 2.1.1-0.20170519163204-f913f5f9c7c6+incompatible
     vulnerable_at: 2.1.0+incompatible
     packages:
       - package: github.com/git-lfs/git-lfs/lfsapi
         symbols:
           - sshGetLFSExeAndArgs
         derived_symbols:
           - Client.NewRequest
           - sshAuthClient.Resolve
           - sshCache.Resolve
 description: |
     Arbitrary command execution can be triggered by improperly
     sanitized SSH URLs in LFS configuration files. This can be
     triggered by cloning a malicious repository.
 published: 2021-04-14T20:04:52Z
 cves:
   - CVE-2017-17831
 references:
   - fix: https://github.com/git-lfs/git-lfs/pull/2241
   - fix: https://github.com/git-lfs/git-lfs/commit/f913f5f9c7c6d1301785fdf9884a2942d59cdf19
   - web: http://blog.recurity-labs.com/2017-08-10/scm-vulns
   - web: https://confluence.atlassian.com/sourcetreekb/sourcetree-security-advisory-2018-01-24-942834324.html
   - web: http://www.securityfocus.com/bid/102926
	modules:
	- module: github.com/git-lfs/git-lfs
	versions:
	- fixed: 2.1.1-0.20170519163204-f913f5f9c7c6+incompatible
	vulnerable_at: 2.1.0+incompatible
	packages:
	- package: github.com/git-lfs/git-lfs/lfsapi
	symbols:
	- sshGetLFSExeAndArgs
	derived_symbols:
	- Client.NewRequest
	- sshAuthClient.Resolve
	- sshCache.Resolve
	description: \|
	Arbitrary command execution can be triggered by improperly
	sanitized SSH URLs in LFS configuration files. This can be
	triggered by cloning a malicious repository.
	published: 2021-04-14T20:04:52Z
	cves:
	- CVE-2017-17831
	references:
	- fix: https://github.com/git-lfs/git-lfs/pull/2241
	- fix: https://github.com/git-lfs/git-lfs/commit/f913f5f9c7c6d1301785fdf9884a2942d59cdf19
	- web: http://blog.recurity-labs.com/2017-08-10/scm-vulns
	- web: https://confluence.atlassian.com/sourcetreekb/sourcetree-security-advisory-2018-01-24-942834324.html
	- web: http://www.securityfocus.com/bid/102926