← back
CVE-2017-8386

CVE-2017-8386

EPSS 11.7%
git-shell in git before 2.4.12, 2.5.x before 2.5.6, 2.6.x before 2.6.7, 2.7.x before 2.7.5, 2.8.x before 2.8.5, 2.9.x before 2.9.4, 2.10.x before 2.10.3, 2.11.x before 2.11.2, and 2.12.x before 2.12.3 might allow remote authenticated users to gain privileges via a repository name that starts with a - (dash) character.
Affected products
n/a · n/a

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://lists.opensuse.org/opensuse-updates/2017-05/msg00090.htmlhttp://public-inbox.org/git/xmqq8tm5ziat.fsf%40gitster.mtv.corp.google.com/https://access.redhat.com/errata/RHSA-2017:2004https://access.redhat.com/errata/RHSA-2017:2491https://insinuator.net/2017/05/git-shell-bypass-by-abusing-less-cve-2017-8386/https://kernel.googlesource.com/pub/scm/git/git/+/3ec804490a265f4c418a321428c12f3f18b7eff5https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3ISHYFLM2ACYHHY3JHCLF75X7UF4ZMDM/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DPYRN7APMHY4ZFDPAKD22J5R4QJFY2JP/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FDS3LSJJ3YGGQYIVPKQDVOCXWDSF6JGF/https://security.gentoo.org/glsa/201706-04http://www.debian.org/security/2017/dsa-3848http://www.securityfocus.com/bid/98409