CVE-2017-14867 — git - security update

Description

Git before 2.10.5, 2.11.x before 2.11.4, 2.12.x before 2.12.5, 2.13.x before 2.13.6, and 2.14.x before 2.14.2 uses unsafe Perl scripts to support subcommands such as cvsserver, which allows attackers to execute arbitrary OS commands via shell metacharacters in a module name. The vulnerable code is reachable via git-shell even without CVS support.

How to fix CVE-2017-14867

To remediate CVE-2017-14867, upgrade the affected package to a fixed version below.

—upgrade to 1:2.14.2-1 or later
—upgrade to 1:1.7.10.4-1+wheezy6 or later
—upgrade to 1:2.1.4-2.1+deb8u5 or later

Is CVE-2017-14867 being exploited?

Moderate — EPSS is 6.5%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (3)

from 0, < 1:2.14.2-1
from 0, < 1:1.7.10.4-1+wheezy6
from 0, < 1:2.1.4-2.1+deb8u5

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References (1)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2017-14867