blob: a87d0544a5cd2db55a8460760d6e34a0d1db0740 [file] [log] [blame]
id: GO-2021-0073
modules:
- module: github.com/git-lfs/git-lfs
versions:
- fixed: 2.1.1-0.20170519163204-f913f5f9c7c6+incompatible
vulnerable_at: 2.1.0+incompatible
packages:
- package: github.com/git-lfs/git-lfs/lfsapi
symbols:
- sshGetLFSExeAndArgs
derived_symbols:
- Client.NewRequest
- sshAuthClient.Resolve
- sshCache.Resolve
summary: Arbitrary command execution in github.com/git-lfs/git-lfs
description: |-
Arbitrary command execution can be triggered by improperly sanitized SSH URLs in
LFS configuration files. This can be triggered by cloning a malicious
repository.
published: 2021-04-14T20:04:52Z
cves:
- CVE-2017-17831
ghsas:
- GHSA-w4xh-w33p-4v29
references:
- fix: https://github.com/git-lfs/git-lfs/pull/2241
- fix: https://github.com/git-lfs/git-lfs/commit/f913f5f9c7c6d1301785fdf9884a2942d59cdf19
- web: http://blog.recurity-labs.com/2017-08-10/scm-vulns
- web: https://confluence.atlassian.com/sourcetreekb/sourcetree-security-advisory-2018-01-24-942834324.html
review_status: REVIEWED