CVE-2017-8386 — git - security update

Description

git-shell in git before 2.4.12, 2.5.x before 2.5.6, 2.6.x before 2.6.7, 2.7.x before 2.7.5, 2.8.x before 2.8.5, 2.9.x before 2.9.4, 2.10.x before 2.10.3, 2.11.x before 2.11.2, and 2.12.x before 2.12.3 might allow remote authenticated users to gain privileges via a repository name that starts with a - (dash) character.

How to fix CVE-2017-8386

To remediate CVE-2017-8386, upgrade the affected package to a fixed version below.

—upgrade to 2.6.7-r0 or later
—upgrade to 1:2.11.0-3 or later
—upgrade to 1:1.7.10.4-1+wheezy4 or later
—upgrade to 1:2.1.4-2.1+deb8u3 or later

Is CVE-2017-8386 being exploited?

Likely — EPSS is 71.5%, placing CVE-2017-8386 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (4)

from 0, < 2.6.7-r0
from 0, < 1:2.11.0-3
from 0, < 1:1.7.10.4-1+wheezy4
from 0, < 1:2.1.4-2.1+deb8u3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References (2)

ADVISORYsecurity.alpinelinux.org/vuln/CVE-2017-8386
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2017-8386