data/reports/GO-2021-0073.yaml

modules:
  - module: github.com/git-lfs/git-lfs
    versions:
      - fixed: 2.1.1-0.20170519163204-f913f5f9c7c6+incompatible
    vulnerable_at: 2.1.0+incompatible
    packages:
      - package: github.com/git-lfs/git-lfs/lfsapi
        symbols:
          - sshGetLFSExeAndArgs
        derived_symbols:
          - Client.NewRequest
          - sshAuthClient.Resolve
          - sshCache.Resolve
description: |
    Arbitrary command execution can be triggered by improperly
    sanitized SSH URLs in LFS configuration files. This can be
    triggered by cloning a malicious repository.
published: 2021-04-14T20:04:52Z
cves:
  - CVE-2017-17831
ghsas:
  - GHSA-w4xh-w33p-4v29
references:
  - fix: https://github.com/git-lfs/git-lfs/pull/2241
  - fix: https://github.com/git-lfs/git-lfs/commit/f913f5f9c7c6d1301785fdf9884a2942d59cdf19
  - web: http://blog.recurity-labs.com/2017-08-10/scm-vulns
  - web: https://confluence.atlassian.com/sourcetreekb/sourcetree-security-advisory-2018-01-24-942834324.html
  - web: http://www.securityfocus.com/bid/102926