| modules: |
| - module: github.com/git-lfs/git-lfs |
| versions: |
| - fixed: 2.1.1-0.20170519163204-f913f5f9c7c6+incompatible |
| vulnerable_at: 2.1.0+incompatible |
| packages: |
| - package: github.com/git-lfs/git-lfs/lfsapi |
| symbols: |
| - sshGetLFSExeAndArgs |
| derived_symbols: |
| - Client.NewRequest |
| - sshAuthClient.Resolve |
| - sshCache.Resolve |
| description: | |
| Arbitrary command execution can be triggered by improperly |
| sanitized SSH URLs in LFS configuration files. This can be |
| triggered by cloning a malicious repository. |
| published: 2021-04-14T20:04:52Z |
| cves: |
| - CVE-2017-17831 |
| references: |
| - fix: https://github.com/git-lfs/git-lfs/pull/2241 |
| - fix: https://github.com/git-lfs/git-lfs/commit/f913f5f9c7c6d1301785fdf9884a2942d59cdf19 |
| - web: http://blog.recurity-labs.com/2017-08-10/scm-vulns |
| - web: https://confluence.atlassian.com/sourcetreekb/sourcetree-security-advisory-2018-01-24-942834324.html |
| - web: http://www.securityfocus.com/bid/102926 |