{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "dateAssigned": "2017-08-22T00:00:00", "datePublic": "2017-10-03T00:00:00", "descriptions": [{"lang": "en", "value": "A malicious third-party can give a crafted \"ssh://...\" URL to an unsuspecting victim, and an attempt to visit the URL can result in any program that exists on the victim's machine being executed. Such a URL could be placed in the .gitmodules file of a malicious project, and an unsuspecting victim could be tricked into running \"git clone --recurse-submodules\" to trigger the vulnerability."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-01-04T19:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "DSA-3934", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2017/dsa-3934"}, {"name": "RHSA-2017:2674", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2017:2674"}, {"name": "1039131", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1039131"}, {"name": "42599", "tags": ["exploit", "x_refsource_EXPLOIT-DB"], "url": "https://www.exploit-db.com/exploits/42599/"}, {"name": "RHSA-2017:2675", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2017:2675"}, {"name": "RHSA-2017:2484", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2017:2484"}, {"name": "RHSA-2017:2491", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2017:2491"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://support.apple.com/HT208103"}, {"tags": ["x_refsource_MISC"], "url": "https://www.mail-archive.com/linux-kernel%40vger.kernel.org/msg1466490.html"}, {"name": "100283", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/100283"}, {"name": "GLSA-201709-10", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/201709-10"}, {"name": "RHSA-2017:2485", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2017:2485"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "DATE_ASSIGNED": "2017-08-22T17:29:33.329422", "ID": "CVE-2017-1000117", "REQUESTER": "gitster@pobox.com", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A malicious third-party can give a crafted \"ssh://...\" URL to an unsuspecting victim, and an attempt to visit the URL can result in any program that exists on the victim's machine being executed. Such a URL could be placed in the .gitmodules file of a malicious project, and an unsuspecting victim could be tricked into running \"git clone --recurse-submodules\" to trigger the vulnerability."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "DSA-3934", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2017/dsa-3934"}, {"name": "RHSA-2017:2674", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2017:2674"}, {"name": "1039131", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1039131"}, {"name": "42599", "refsource": "EXPLOIT-DB", "url": "https://www.exploit-db.com/exploits/42599/"}, {"name": "RHSA-2017:2675", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2017:2675"}, {"name": "RHSA-2017:2484", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2017:2484"}, {"name": "RHSA-2017:2491", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2017:2491"}, {"name": "https://support.apple.com/HT208103", "refsource": "CONFIRM", "url": "https://support.apple.com/HT208103"}, {"name": "https://www.mail-archive.com/linux-kernel@vger.kernel.org/msg1466490.html", "refsource": "MISC", "url": "https://www.mail-archive.com/linux-kernel@vger.kernel.org/msg1466490.html"}, {"name": "100283", "refsource": "BID", "url": "http://www.securityfocus.com/bid/100283"}, {"name": "GLSA-201709-10", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201709-10"}, {"name": "RHSA-2017:2485", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2017:2485"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T21:53:06.692Z"}, "title": "CVE Program Container", "references": [{"name": "DSA-3934", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2017/dsa-3934"}, {"name": "RHSA-2017:2674", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2017:2674"}, {"name": "1039131", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id/1039131"}, {"name": "42599", "tags": ["exploit", "x_refsource_EXPLOIT-DB", "x_transferred"], "url": "https://www.exploit-db.com/exploits/42599/"}, {"name": "RHSA-2017:2675", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2017:2675"}, {"name": "RHSA-2017:2484", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2017:2484"}, {"name": "RHSA-2017:2491", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2017:2491"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://support.apple.com/HT208103"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.mail-archive.com/linux-kernel%40vger.kernel.org/msg1466490.html"}, {"name": "100283", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/100283"}, {"name": "GLSA-201709-10", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/201709-10"}, {"name": "RHSA-2017:2485", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2017:2485"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2017-1000117", "datePublished": "2017-10-04T01:00:00", "dateReserved": "2017-10-03T00:00:00", "dateUpdated": "2024-08-05T21:53:06.692Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*", "matchCriteriaId": "84CB932E-3257-479A-B954-04E7FE3492AA", "versionEndIncluding": "2.7.5", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:2.8.0:*:*:*:*:*:*:*", "matchCriteriaId": "9896397E-782E-4DFE-827F-B90B6B03180F", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:2.8.0:rc0:*:*:*:*:*:*", "matchCriteriaId": "724E4EFF-3852-4393-BA02-C539931086AE", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:2.8.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "2029A919-F374-4BBD-9600-39CF3362FF53", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:2.8.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "AFBFE569-7A79-4DA2-A0D5-692F8979586D", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:2.8.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "BEFB1D30-65A7-41AF-90EB-724DC43E863E", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:2.8.1:*:*:*:*:*:*:*", "matchCriteriaId": "723F9CFF-5DF8-4C67-BB1B-8D466BFBBD02", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:2.8.2:*:*:*:*:*:*:*", "matchCriteriaId": "09AD7972-8B47-46B3-BA30-B231BEE61CC8", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:2.8.3:*:*:*:*:*:*:*", "matchCriteriaId": "A10D5AB3-4282-446D-BCA7-478E1E8BD023", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:2.8.4:*:*:*:*:*:*:*", "matchCriteriaId": "EB7F6D0D-28C2-47FD-B558-AFD1EE62892C", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:2.8.5:*:*:*:*:*:*:*", "matchCriteriaId": "498161A8-6E94-4B87-9501-A350832CE537", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:2.9.0:*:*:*:*:*:*:*", "matchCriteriaId": "7A07BE55-D467-49CE-8450-80033A620065", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:2.9.0:rc0:*:*:*:*:*:*", "matchCriteriaId": "584B9BC8-5780-467F-BEA8-4629179EF512", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:2.9.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "BF4ED0D4-8845-4D9B-8FDD-9C5B0669820F", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:2.9.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "498C3970-FD12-4DE7-8B29-F1A523411CA8", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:2.9.1:*:*:*:*:*:*:*", "matchCriteriaId": "2F564229-0A0E-4C3D-A78A-000DCB0160EF", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:2.9.2:*:*:*:*:*:*:*", "matchCriteriaId": "E7595ECD-7BFD-4581-A995-FEE5E5217CDD", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:2.9.3:*:*:*:*:*:*:*", "matchCriteriaId": "1F75D4CF-A398-4E01-829D-C940C6332B10", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:2.9.4:*:*:*:*:*:*:*", "matchCriteriaId": "F4A5029C-C798-4D78-B3B7-D05B58EEE9AF", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:2.10.0:*:*:*:*:*:*:*", "matchCriteriaId": "FB2EE715-5F6B-4418-B126-2B4479A6AACE", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:2.10.0:rc0:*:*:*:*:*:*", "matchCriteriaId": "9F01B79C-94C3-4612-A75A-916B21A908C9", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:2.10.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "01432EC1-B91A-435C-A678-1095C1B05C96", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:2.10.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "F15B4DD5-820D-4B20-8C05-63C29DBC442B", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:2.10.1:*:*:*:*:*:*:*", "matchCriteriaId": "C3AFD4F3-99A3-40A2-A479-F3B2EAAD5106", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:2.10.2:*:*:*:*:*:*:*", "matchCriteriaId": "1F0CFE5D-8865-4D6A-A170-54C23BA3D29C", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:2.10.3:*:*:*:*:*:*:*", "matchCriteriaId": "303F3C6A-2603-4B1B-9122-7B0E53EB0550", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:2.11.0:*:*:*:*:*:*:*", "matchCriteriaId": "B97E04C0-465C-4A2D-8FD5-FC75094E3736", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:2.11.0:rc0:*:*:*:*:*:*", "matchCriteriaId": "EB78402D-3DCA-48DE-838F-89C89361D8F3", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:2.11.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "5F3C8084-7FEA-427C-9948-75DAC2914006", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:2.11.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "E8743E90-7C05-4656-B758-36052C926925", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:2.11.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F79B3A03-B0A5-4A00-A7A8-332D8ACB3799", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:2.11.1:*:*:*:*:*:*:*", "matchCriteriaId": "4EA24D16-84C8-4DF6-B4E1-288A3C991518", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:2.11.2:*:*:*:*:*:*:*", "matchCriteriaId": "FAA9C323-AEAA-4A55-849B-B0E731709AD6", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:2.12.0:*:*:*:*:*:*:*", "matchCriteriaId": "F9CAC635-62EE-49EC-A5AA-5B4D8A1C6AC8", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:2.12.0:rc0:*:*:*:*:*:*", "matchCriteriaId": "BB756061-0242-48DE-B784-0868703B1CE8", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:2.12.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "8DE21911-882D-4718-9808-05DDB50C9143", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:2.12.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "2F34AACB-1089-47E1-9BA7-DFD80B716552", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:2.12.1:*:*:*:*:*:*:*", "matchCriteriaId": "79BF6D70-E21E-4E47-A41E-C063659A7786", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:2.12.2:*:*:*:*:*:*:*", "matchCriteriaId": "5EDA604D-2901-4AF2-9411-80681B445F19", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:2.12.3:*:*:*:*:*:*:*", "matchCriteriaId": "A6EC96D3-BD11-4E2A-9E7B-276F4311EF54", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:2.13.0:*:*:*:*:*:*:*", "matchCriteriaId": "5EE0CA61-E0C2-432C-9095-DEDC2DDA32E3", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:2.13.0:rc0:*:*:*:*:*:*", "matchCriteriaId": "2580E25C-EF78-4DAD-8EEB-E35BD584DD5F", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:2.13.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "7C879263-ACFB-429C-A8ED-22CDE21AF993", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:2.13.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "658946E0-1DC0-4911-B92A-167D5CD284AB", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:2.13.1:*:*:*:*:*:*:*", "matchCriteriaId": "5CF7CD32-A6BB-474A-A356-C2BFBBE9910A", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:2.13.2:*:*:*:*:*:*:*", "matchCriteriaId": "A6945B1B-75CF-42F5-A93E-D077CA1ED9E4", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:2.13.3:*:*:*:*:*:*:*", "matchCriteriaId": "0D3A3F02-578A-4C96-B0A8-AED9204B8872", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:2.13.4:*:*:*:*:*:*:*", "matchCriteriaId": "17B08345-AE7F-4130-AD09-A5BA2F2C2F71", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:2.14.0:*:*:*:*:*:*:*", "matchCriteriaId": "75FFDA48-13E9-4918-BA44-EE3BCF670B31", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:2.14.0:rc0:*:*:*:*:*:*", "matchCriteriaId": "1B7828B4-C9D5-4F30-B03E-1A2584F270DD", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:2.14.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "5AE005D5-216B-4266-ABE4-265B66B65F86", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A malicious third-party can give a crafted \"ssh://...\" URL to an unsuspecting victim, and an attempt to visit the URL can result in any program that exists on the victim's machine being executed. Such a URL could be placed in the .gitmodules file of a malicious project, and an unsuspecting victim could be tricked into running \"git clone --recurse-submodules\" to trigger the vulnerability."}, {"lang": "es", "value": "Un tercero malicioso puede proporcionar una URL \"ssh://...\" manipulada a una v\u00edctima desprevenida y un intento de visita a la URL puede resultar en que se ejecute cualquier programa que exista en la m\u00e1quina de la v\u00edctima. Dicha URL podr\u00eda colocarse en el archivo .gitmodules de un proyecto malicioso y una v\u00edctima desprevenida podr\u00eda ser enga\u00f1ada para que ejecute \"git clone --recurse-submodules\" para desencadenar esta vulnerabilidad."}], "id": "CVE-2017-1000117", "lastModified": "2023-11-07T02:37:54.407", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-10-05T01:29:04.650", "references": [{"source": "cve@mitre.org", "url": "http://www.debian.org/security/2017/dsa-3934"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/100283"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securitytracker.com/id/1039131"}, {"source": "cve@mitre.org", "url": "https://access.redhat.com/errata/RHSA-2017:2484"}, {"source": "cve@mitre.org", "url": "https://access.redhat.com/errata/RHSA-2017:2485"}, {"source": "cve@mitre.org", "url": "https://access.redhat.com/errata/RHSA-2017:2491"}, {"source": "cve@mitre.org", "url": "https://access.redhat.com/errata/RHSA-2017:2674"}, {"source": "cve@mitre.org", "url": "https://access.redhat.com/errata/RHSA-2017:2675"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://security.gentoo.org/glsa/201709-10"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://support.apple.com/HT208103"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://www.exploit-db.com/exploits/42599/"}, {"source": "cve@mitre.org", "url": "https://www.mail-archive.com/linux-kernel%40vger.kernel.org/msg1466490.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-601"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2017:2485", "cpe": "cpe:/o:redhat:enterprise_linux:6", "package": "git-0:1.7.1-9.el6_9", "product_name": "Red Hat Enterprise Linux 6", "release_date": "2017-08-16T00:00:00Z"}, {"advisory": "RHSA-2017:2484", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "git-0:1.8.3.1-12.el7_4", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2017-08-16T00:00:00Z"}, {"advisory": "RHSA-2017:2674", "cpe": "cpe:/a:redhat:mobile_application_platform:4.5", "package": "fh-system-dump-tool-0:1.0.0-5.el7", "product_name": "Red Hat Mobile Application Platform 4.5", "release_date": "2017-09-18T00:00:00Z"}, {"advisory": "RHSA-2017:2674", "cpe": "cpe:/a:redhat:mobile_application_platform:4.5", "package": "fping-0:3.10-4.el7map", "product_name": "Red Hat Mobile Application Platform 4.5", "release_date": "2017-09-18T00:00:00Z"}, {"advisory": "RHSA-2017:2674", "cpe": "cpe:/a:redhat:mobile_application_platform:4.5", "package": "nagios-0:4.0.8-8.el7map", "product_name": "Red Hat Mobile Application Platform 4.5", "release_date": "2017-09-18T00:00:00Z"}, {"advisory": "RHSA-2017:2674", "cpe": "cpe:/a:redhat:mobile_application_platform:4.5", "package": "nagios-plugins-0:2.0.3-3.el7map", "product_name": "Red Hat Mobile Application Platform 4.5", "release_date": "2017-09-18T00:00:00Z"}, {"advisory": "RHSA-2017:2674", "cpe": "cpe:/a:redhat:mobile_application_platform:4.5", "package": "perl-Crypt-CBC-0:2.33-2.el7map", "product_name": "Red Hat Mobile Application Platform 4.5", "release_date": "2017-09-18T00:00:00Z"}, {"advisory": "RHSA-2017:2674", "cpe": "cpe:/a:redhat:mobile_application_platform:4.5", "package": "perl-Crypt-DES-0:2.05-20.el7map", "product_name": "Red Hat Mobile Application Platform 4.5", "release_date": "2017-09-18T00:00:00Z"}, {"advisory": "RHSA-2017:2674", "cpe": "cpe:/a:redhat:mobile_application_platform:4.5", "package": "perl-Net-SNMP-0:6.0.1-7.el7map", "product_name": "Red Hat Mobile Application Platform 4.5", "release_date": "2017-09-18T00:00:00Z"}, {"advisory": "RHSA-2017:2674", "cpe": "cpe:/a:redhat:mobile_application_platform:4.5", "package": "phantomjs-0:1.9.7-3.el7map", "product_name": "Red Hat Mobile Application Platform 4.5", "release_date": "2017-09-18T00:00:00Z"}, {"advisory": "RHSA-2017:2674", "cpe": "cpe:/a:redhat:mobile_application_platform:4.5", "package": "python-meld3-0:0.6.10-1.el7map", "product_name": "Red Hat Mobile Application Platform 4.5", "release_date": "2017-09-18T00:00:00Z"}, {"advisory": "RHSA-2017:2674", "cpe": "cpe:/a:redhat:mobile_application_platform:4.5", "package": "qstat-0:2.11-13.20080912svn311.el7map", "product_name": "Red Hat Mobile Application Platform 4.5", "release_date": "2017-09-18T00:00:00Z"}, {"advisory": "RHSA-2017:2674", "cpe": "cpe:/a:redhat:mobile_application_platform:4.5", "package": "radiusclient-ng-0:0.5.6-9.el7map", "product_name": "Red Hat Mobile Application Platform 4.5", "release_date": "2017-09-18T00:00:00Z"}, {"advisory": "RHSA-2017:2674", "cpe": "cpe:/a:redhat:mobile_application_platform:4.5", "package": "redis-0:2.8.21-2.el7map", "product_name": "Red Hat Mobile Application Platform 4.5", "release_date": "2017-09-18T00:00:00Z"}, {"advisory": "RHSA-2017:2674", "cpe": "cpe:/a:redhat:mobile_application_platform:4.5", "package": "rhmap-fh-openshift-templates-0:4.5.0-11.el7", "product_name": "Red Hat Mobile Application Platform 4.5", "release_date": "2017-09-18T00:00:00Z"}, {"advisory": "RHSA-2017:2674", "cpe": "cpe:/a:redhat:mobile_application_platform:4.5", "package": "rhmap-mod_authnz_external-0:3.3.1-7.el7map", "product_name": "Red Hat Mobile Application Platform 4.5", "release_date": "2017-09-18T00:00:00Z"}, {"advisory": "RHSA-2017:2674", "cpe": "cpe:/a:redhat:mobile_application_platform:4.5", "package": "sendEmail-0:1.56-2.el7", "product_name": "Red Hat Mobile Application Platform 4.5", "release_date": "2017-09-18T00:00:00Z"}, {"advisory": "RHSA-2017:2674", "cpe": "cpe:/a:redhat:mobile_application_platform:4.5", "package": "ssmtp-0:2.64-14.el7map", "product_name": "Red Hat Mobile Application Platform 4.5", "release_date": "2017-09-18T00:00:00Z"}, {"advisory": "RHSA-2017:2674", "cpe": "cpe:/a:redhat:mobile_application_platform:4.5", "package": "supervisor-0:3.1.3-3.el7map", "product_name": "Red Hat Mobile Application Platform 4.5", "release_date": "2017-09-18T00:00:00Z"}, {"advisory": "RHSA-2017:2491", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "rh-git29-git-0:2.9.3-3.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date": "2017-08-17T00:00:00Z"}, {"advisory": "RHSA-2017:2491", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "rh-git29-git-0:2.9.3-3.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2017-08-17T00:00:00Z"}], "bugzilla": {"description": "git: Command injection via malicious ssh URLs", "id": "1480386", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1480386"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.3", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "status": "verified"}, "cwe": "CWE-20", "details": ["A malicious third-party can give a crafted \"ssh://...\" URL to an unsuspecting victim, and an attempt to visit the URL can result in any program that exists on the victim's machine being executed. Such a URL could be placed in the .gitmodules file of a malicious project, and an unsuspecting victim could be tricked into running \"git clone --recurse-submodules\" to trigger the vulnerability.", "A shell command injection flaw related to the handling of \"ssh\" URLs has been discovered in Git. An attacker could use this flaw to execute shell commands with the privileges of the user running the Git client, for example, when performing a \"clone\" action on a malicious repository or a legitimate repository containing a malicious commit."], "name": "CVE-2017-1000117", "package_state": [{"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:6", "fix_state": "Not affected", "package_name": "jgit", "product_name": "Red Hat BPM Suite 6"}, {"cpe": "cpe:/a:redhat:jboss_amq:6", "fix_state": "Not affected", "package_name": "fabric8", "product_name": "Red Hat JBoss A-MQ 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:6", "fix_state": "Not affected", "package_name": "jgit", "product_name": "Red Hat JBoss BRMS 6"}, {"cpe": "cpe:/a:redhat:jboss_data_virtualization:6", "fix_state": "Not affected", "package_name": "jgit", "product_name": "Red Hat JBoss Data Virtualization 6"}, {"cpe": "cpe:/a:redhat:jboss_fuse:6", "fix_state": "Not affected", "package_name": "camel", "product_name": "Red Hat JBoss Fuse 6"}, {"cpe": "cpe:/a:redhat:jboss_fuse_service_works:6", "fix_state": "Not affected", "package_name": "jgit", "product_name": "Red Hat JBoss Fuse Service Works 6"}], "public_date": "2017-08-10T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2017-1000117\nhttps://nvd.nist.gov/vuln/detail/CVE-2017-1000117\nhttp://blog.recurity-labs.com/2017-08-10/scm-vulns\nhttps://lkml.org/lkml/2017/8/10/757"], "threat_severity": "Important", "upstream_fix": "git 2.7.6, git 2.8.6, git 2.9.5, git 2.10.4, git 2.11.3, git 2.12.4, git 2.13.5, git 2.14.1"}