CVE-2017-8386

git-shell in git before 2.4.12, 2.5.x before 2.5.6, 2.6.x before 2.6.7, 2.7.x before 2.7.5, 2.8.x before 2.8.5, 2.9.x before 2.9.4, 2.10.x before 2.10.3, 2.11.x before 2.11.2, and 2.12.x before 2.12.3 might allow remote authenticated users to gain privileges via a repository name that starts with a - (dash) character.

Published: Jun 1, 2017
Updated: Apr 13, 2023
CVE: CVE-2017-8386
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.8
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: Medium
Score: 6.5
AV:N/AC:L/Au:S/C:P/I:P/A:P

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
opensuse / leap	42.1	42.1.x
debian / debian_linux	8.0	8.0.x
canonical / ubuntu_linux	16.10	16.10.x
canonical / ubuntu_linux	16.04	16.04.x
canonical / ubuntu_linux	14.04	14.04.x
canonical / ubuntu_linux	17.04	17.04.x
fedoraproject / fedora	26	26.x
fedoraproject / fedora	25	25.x
fedoraproject / fedora	24	24.x

http://lists.opensuse.org/opensuse-updates/2017-05/msg00090.html
http://public-inbox.org/git/[email protected]/
http://public-inbox.org/git/xmqq8tm5ziat.fsf%40gitster.mtv.corp.google.com/
http://www.debian.org/security/2017/dsa-3848
http://www.securityfocus.com/bid/98409
http://www.securitytracker.com/id/1038479
http://www.ubuntu.com/usn/USN-3287-1
https://access.redhat.com/errata/RHSA-2017:2004
https://access.redhat.com/errata/RHSA-2017:2491
https://insinuator.net/2017/05/git-shell-bypass-by-abusing-less-cve-2017-8386/
https://kernel.googlesource.com/pub/scm/git/git/+/3ec804490a265f4c418a321428c12f3f18b7eff5
https://lists.fedoraproject.org/archives/list/[email protected]/message/3ISHYFLM2ACYHHY3JHCLF75X7UF4ZMDM/
https://lists.fedoraproject.org/archives/list/[email protected]/message/DPYRN7APMHY4ZFDPAKD22J5R4QJFY2JP/
https://lists.fedoraproject.org/archives/list/[email protected]/message/FDS3LSJJ3YGGQYIVPKQDVOCXWDSF6JGF/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3ISHYFLM2ACYHHY3JHCLF75X7UF4ZMDM/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DPYRN7APMHY4ZFDPAKD22J5R4QJFY2JP/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FDS3LSJJ3YGGQYIVPKQDVOCXWDSF6JGF/
https://security.gentoo.org/glsa/201706-04

Vulnerability Database

289,599

CVE-2017-8386