CVE-2017-14867

Impact:
Moderate
Public Date:
2017-09-26
CWE:
CWE-20
Bugzilla:
1496344: CVE-2017-14867 git: cvsserver command injection

The MITRE CVE dictionary describes this issue as:

Git before 2.10.5, 2.11.x before 2.11.4, 2.12.x before 2.12.5, 2.13.x before 2.13.6, and 2.14.x before 2.14.2 uses unsafe Perl scripts to support subcommands such as cvsserver, which allows attackers to execute arbitrary OS commands via shell metacharacters in a module name. The vulnerable code is reachable via git-shell even without CVS support.

Find out more about CVE-2017-14867 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v3 metrics

NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.

CVSS3 Base Score 7.8
CVSS3 Base Metrics CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity Impact High
Availability Impact High

Affected Packages State

Platform Package State
Red Hat Software Collections for Red Hat Enterprise Linux rh-git29-git Will not fix
Red Hat Mobile Application Platform On-Premise 4 fh-scm Not affected
Red Hat JBoss Fuse Service Works 6 jgit Not affected
Red Hat JBoss Fuse 6 camel Not affected
Red Hat JBoss Data Virtualization 6 jgit Not affected
Red Hat JBoss BRMS 6 jgit Not affected
Red Hat JBoss BPMS 6 jgit Not affected
Red Hat JBoss A-MQ 6 fabric8 Not affected
Red Hat Enterprise Linux 7 git Will not fix
Red Hat Enterprise Linux 6 git Will not fix

Mitigation

In case you do not rely on the commands offered by the "-cvs" subpackage (for example "git cvsserver" or "git cvsimport") on RHEL or RHSCL, you can uninstall the git "-cvs" subpackage.

Last Modified

CVE description copyright © 2017, The MITRE Corporation