CVE-2017-8386
- Source
- https://cve.org/CVERecord?id=CVE-2017-8386
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-8386.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2017-8386
- Downstream
- Related
- Published
- 2017-06-01T16:29:00.450Z
- Modified
- 2026-02-23T01:38:56.287209Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
git-shell in git before 2.4.12, 2.5.x before 2.5.6, 2.6.x before 2.6.7, 2.7.x before 2.7.5, 2.8.x before 2.8.5, 2.9.x before 2.9.4, 2.10.x before 2.10.3, 2.11.x before 2.11.2, and 2.12.x before 2.12.3 might allow remote authenticated users to gain privileges via a repository name that starts with a - (dash) character.
- References
-
- http://public-inbox.org/git/xmqq8tm5ziat.fsf%40gitster.mtv.corp.google.com/
- https://insinuator.net/2017/05/git-shell-bypass-by-abusing-less-cve-2017-8386/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3ISHYFLM2ACYHHY3JHCLF75X7UF4ZMDM/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DPYRN7APMHY4ZFDPAKD22J5R4QJFY2JP/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FDS3LSJJ3YGGQYIVPKQDVOCXWDSF6JGF/
- http://lists.opensuse.org/opensuse-updates/2017-05/msg00090.html
- http://www.debian.org/security/2017/dsa-3848
- http://www.securityfocus.com/bid/98409
- http://www.securitytracker.com/id/1038479
- http://www.ubuntu.com/usn/USN-3287-1
- https://access.redhat.com/errata/RHSA-2017:2004
- https://access.redhat.com/errata/RHSA-2017:2491
- https://insinuator.net/2017/05/git-shell-bypass-by-abusing-less-cve-2017-8386/
- https://kernel.googlesource.com/pub/scm/git/git/+/3ec804490a265f4c418a321428c12f3f18b7eff5
- https://security.gentoo.org/glsa/201706-04
- http://lists.opensuse.org/opensuse-updates/2017-05/msg00090.html
- http://www.ubuntu.com/usn/USN-3287-1
Affected packages
Git / github.com/wordpress/wordpress
Git / gitlab.com/gnutls/gnutls
Affected ranges
- Type
- GIT
- Repo
- https://gitlab.com/gnutls/gnutls
- Events
-
IntroducedFixedIntroducedFixedIntroducedFixedIntroducedFixedIntroducedFixedIntroducedFixed
Affected versions
Other
gnutls_2_10_0
gnutls_2_10_1
gnutls_2_10_2
gnutls_2_5_0
gnutls_2_5_1
gnutls_2_5_2
gnutls_2_5_3
gnutls_2_5_4
gnutls_2_5_5
gnutls_2_8_0
gnutls_2_8_1
gnutls_2_8_2
gnutls_2_8_3
gnutls_2_8_4
gnutls_2_9_0
gnutls_2_9_1
gnutls_2_9_2
gnutls_2_9_3
Database specific
vanir_signatures
[
{
"source": "https://gitlab.com/gnutls/gnutls@b6bb58ba5b93a7906a537eb131e4e1ce07f0372e",
"deprecated": false,
"signature_type": "Line",
"target": {
"file": "tests/hostname-check.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"262037949721018349286716733708240001632",
"42428401121881700020927081551633321923",
"286052529975560624416004766932896935750",
"170954894982737295911640043409592307393",
"246624707001363846312947374865095294892",
"206813756523836877359681685380871665896",
"237544781980257368103219096070609061689",
"261680243281122811710504245528974906842",
"288884965459098269066746601852089083494",
"284851422164780836853140348474318450320",
"266753455185368382708667911070933856140",
"35126019357647370777678494509433152962",
"128866462411228087111103655751808000019",
"149368511436263414665080900832746471130",
"170946354528123646665107627645224824660",
"279292483067076547822591910676339022768",
"273876561878428541446564503025584331834",
"47908099805641951810494326322744609237",
"215545072161766268742765687002389973130",
"314068792411015677193956293583146469431",
"281119790339203037661775960260851655397",
"63737215502611705354577606721037202675",
"267429365218877762939610479506138481406",
"95081113264589260136617741054058497404",
"271002432007164692614673292129406419495"
]
},
"signature_version": "v1",
"id": "CVE-2017-8386-81df0738"
},
{
"source": "https://gitlab.com/gnutls/gnutls@b6bb58ba5b93a7906a537eb131e4e1ce07f0372e",
"deprecated": false,
"signature_type": "Function",
"target": {
"file": "tests/hostname-check.c",
"function": "doit"
},
"digest": {
"length": 6234.0,
"function_hash": "270034487616828764305389298002341867691"
},
"signature_version": "v1",
"id": "CVE-2017-8386-8d4b2a96"
}
]
source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-8386.json"