Описание
GitHub Git LFS Arbitrary command execution vulnerability
GitHub Git LFS before 2.1.1 allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, located on a url = line in a .lfsconfig file within a repository.
Specific Go Packages Affected
github.com/git-lfs/git-lfs/lfsapi
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2017-17831
- https://github.com/git-lfs/git-lfs/pull/2241
- https://github.com/git-lfs/git-lfs/pull/2242
- https://github.com/git-lfs/git-lfs/commit/f913f5f9c7c6d1301785fdf9884a2942d59cdf19
- https://confluence.atlassian.com/sourcetreekb/sourcetree-security-advisory-2018-01-24-942834324.html
- https://github.com/git-lfs/git-lfs/releases/tag/v2.1.1
- https://pkg.go.dev/vuln/GO-2021-0073
- https://web.archive.org/web/20200227131639/http://www.securityfocus.com/bid/102926
- http://blog.recurity-labs.com/2017-08-10/scm-vulns
- http://www.securityfocus.com/bid/102926
Пакеты
github.com/git-lfs/git-lfs
< 2.1.1-0.20170519163204-f913f5f9c7c6
2.1.1-0.20170519163204-f913f5f9c7c6
Связанные уязвимости
GitHub Git LFS before 2.1.1 allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, located on a "url =" line in a .lfsconfig file within a repository.
GitHub Git LFS before 2.1.1 allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, located on a "url =" line in a .lfsconfig file within a repository.
GitHub Git LFS before 2.1.1 allows remote attackers to execute arbitra ...