logo

Database

Lack of data validation In github.com/git-lfs/git-lfs/lfsapi

Description

GitHub Git LFS Arbitrary command execution vulnerability GitHub Git LFS before 2.1.1 allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, located on a url = line in a .lfsconfig file within a repository.

Specific Go Packages Affected

github.com/git-lfs/git-lfs/lfsapi

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2017-178312. NVD-2017-178313. OSV-2017-178314. GHSA-w4xh-w33p-4v295. GCVE-2017-17831

References

1. https://github.com/git-lfs/git-lfs/pull/22422. https://confluence.atlassian.com/sourcetreekb/sourcetree-security-advisory-2018-01-24-942834324.html3. https://github.com/git-lfs/git-lfs/releases/tag/v2.1.14. http://blog.recurity-labs.com/2017-08-10/scm-vulns5. https://github.com/git-lfs/git-lfs/pull/22416. https://github.com/git-lfs/git-lfs/commit/f913f5f9c7c6d1301785fdf9884a2942d59cdf197. https://pkg.go.dev/vuln/GO-2021-00738. https://web.archive.org/web/20200227131639/http://www.securityfocus.com/bid/1029269. http://www.securityfocus.com/bid/102926

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.