| id: GO-2021-0073 |
| modules: |
| - module: github.com/git-lfs/git-lfs |
| versions: |
| - fixed: 2.1.1-0.20170519163204-f913f5f9c7c6+incompatible |
| vulnerable_at: 2.1.0+incompatible |
| packages: |
| - package: github.com/git-lfs/git-lfs/lfsapi |
| symbols: |
| - sshGetLFSExeAndArgs |
| derived_symbols: |
| - Client.NewRequest |
| - sshAuthClient.Resolve |
| - sshCache.Resolve |
| summary: Arbitrary command execution in github.com/git-lfs/git-lfs |
| description: |- |
| Arbitrary command execution can be triggered by improperly sanitized SSH URLs in |
| LFS configuration files. This can be triggered by cloning a malicious |
| repository. |
| published: 2021-04-14T20:04:52Z |
| cves: |
| - CVE-2017-17831 |
| ghsas: |
| - GHSA-w4xh-w33p-4v29 |
| references: |
| - fix: https://github.com/git-lfs/git-lfs/pull/2241 |
| - fix: https://github.com/git-lfs/git-lfs/commit/f913f5f9c7c6d1301785fdf9884a2942d59cdf19 |
| - web: http://blog.recurity-labs.com/2017-08-10/scm-vulns |
| - web: https://confluence.atlassian.com/sourcetreekb/sourcetree-security-advisory-2018-01-24-942834324.html |
| review_status: REVIEWED |