{"id":"CVE-2017-14867","details":"Git before 2.10.5, 2.11.x before 2.11.4, 2.12.x before 2.12.5, 2.13.x before 2.13.6, and 2.14.x before 2.14.2 uses unsafe Perl scripts to support subcommands such as cvsserver, which allows attackers to execute arbitrary OS commands via shell metacharacters in a module name. The vulnerable code is reachable via git-shell even without CVS support.","modified":"2026-04-09T05:16:31.467409Z","published":"2017-09-29T01:34:50.047Z","related":["MGASA-2017-0404","SUSE-SU-2017:2717-1","SUSE-SU-2017:2747-1","SUSE-SU-2025:20049-1","openSUSE-SU-2024:10786-1"],"references":[{"type":"WEB","url":"https://public-inbox.org/git/xmqqy3p29ekj.fsf%40gitster.mtv.corp.google.com/T/#u"},{"type":"ADVISORY","url":"https://www.debian.org/security/2017/dsa-3984"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2017/09/26/9"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/101060"},{"type":"ADVISORY","url":"http://www.securitytracker.com/id/1039431"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-security-announce/2017/msg00246.html"},{"type":"REPORT","url":"https://bugs.debian.org/876854"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/git/git","events":[{"introduced":"0"},{"last_affected":"0bfff8146f8c055fd95af4567286929ba8216fa7"},{"introduced":"0"},{"last_affected":"454cb6bd52a4de614a3633e4f547af03d5c3b640"},{"introduced":"0"},{"last_affected":"3b9e3c2cede15057af3ff8076c45ad5f33829436"},{"introduced":"0"},{"last_affected":"773e3a2e0226cffac6c813c2d3bea5ba480675d8"},{"introduced":"0"},{"last_affected":"3b827444811d7eddeddd44850f5dbbb4d59747f5"},{"introduced":"0"},{"last_affected":"e7e07d5a4fcc2a203d9873968ad3e6bd4d7419d7"},{"introduced":"0"},{"last_affected":"1f6b1afea00cdbc99114b88768aa5e617ff479df"},{"introduced":"0"},{"last_affected":"8f9aeb0d36c6cbfb849946bb272fa0d3c4611547"},{"introduced":"0"},{"last_affected":"95d67879735cfecfdd85f89e59d993c5b4de8835"},{"introduced":"0"},{"last_affected":"3d9c5b5c4461957fbbc0479e037990db04ebb740"},{"introduced":"0"},{"last_affected":"b06d3643105c8758ed019125a4399cb7efdcce2c"},{"introduced":"0"},{"last_affected":"2c04f6340579518c55a554fcac9fe21c01b3d3ea"},{"introduced":"0"},{"last_affected":"8c8e978f5719c6a58fb998742207bf907f963143"},{"introduced":"0"},{"last_affected":"08f9c32463bf9e578acb7ac5f77afd36e803c6bc"},{"introduced":"0"},{"last_affected":"cf8899d285d2648013040ec7196ffd3de0606664"},{"introduced":"0"},{"last_affected":"7234152e66e52c7601789f6de822bb39590f0595"},{"introduced":"0"},{"last_affected":"4384e3cde2ce8ecd194202e171ae16333d241326"},{"introduced":"0"},{"last_affected":"4d7268b888d7bb6d675340ec676e4239739d0f6d"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"2.10.4"},{"introduced":"0"},{"last_affected":"2.11.0"},{"introduced":"0"},{"last_affected":"2.11.1"},{"introduced":"0"},{"last_affected":"2.11.2"},{"introduced":"0"},{"last_affected":"2.11.3"},{"introduced":"0"},{"last_affected":"2.12.0"},{"introduced":"0"},{"last_affected":"2.12.1"},{"introduced":"0"},{"last_affected":"2.12.2"},{"introduced":"0"},{"last_affected":"2.12.3"},{"introduced":"0"},{"last_affected":"2.12.4"},{"introduced":"0"},{"last_affected":"2.13.0"},{"introduced":"0"},{"last_affected":"2.13.1"},{"introduced":"0"},{"last_affected":"2.13.2"},{"introduced":"0"},{"last_affected":"2.13.3"},{"introduced":"0"},{"last_affected":"2.13.4"},{"introduced":"0"},{"last_affected":"2.13.5"},{"introduced":"0"},{"last_affected":"2.14.0"},{"introduced":"0"},{"last_affected":"2.14.1"}]}}],"versions":["v0.99","v0.99.1","v0.99.2","v0.99.3","v0.99.4","v0.99.5","v0.99.6","v0.99.7","v0.99.8","v0.99.8a","v0.99.8b","v0.99.8c","v0.99.8d","v0.99.8e","v0.99.8f","v0.99.8g","v0.99.9a","v0.99.9b","v0.99.9c","v0.99.9d","v0.99.9e","v0.99.9f","v0.99.9g","v0.99.9h","v0.99.9i","v0.99.9j","v0.99.9k","v0.99.9l","v0.99.9m","v0.99.9n","v1.0.0","v1.0rc1","v1.0rc2","v1.0rc3","v1.0rc4","v1.0rc5","v1.0rc6","v1.1.0","v1.2.0","v1.3.0-rc1","v1.4.1","v1.4.1-rc1","v1.4.1-rc2","v1.4.2","v1.4.2-rc1","v1.4.2-rc2","v1.4.2-rc3","v1.4.2-rc4","v1.4.3","v1.4.3-rc1","v1.4.3-rc2","v1.4.3-rc3","v1.4.4","v1.4.4-rc1","v1.4.4-rc2","v1.4.4.1","v1.5.0","v1.5.0-rc0","v1.5.0-rc1","v1.5.0-rc2","v1.5.0-rc3","v1.5.0-rc4","v1.5.1","v1.5.1-rc1","v1.5.1-rc2","v1.5.1-rc3","v1.5.2","v1.5.2-rc0","v1.5.2-rc1","v1.5.2-rc2","v1.5.2-rc3","v1.5.3","v1.5.3-rc0","v1.5.3-rc1","v1.5.3-rc2","v1.5.3-rc3","v1.5.3-rc4","v1.5.3-rc5","v1.5.3-rc6","v1.5.3-rc7","v1.5.3.1","v1.5.4","v1.5.4-rc0","v1.5.4-rc1","v1.5.4-rc2","v1.5.4-rc3","v1.5.4-rc4","v1.5.4-rc5","v1.5.5","v1.5.5-rc0","v1.5.5-rc1","v1.5.5-rc2","v1.5.5-rc3","v1.5.6","v1.5.6-rc0","v1.5.6-rc1","v1.5.6-rc2","v1.5.6-rc3","v1.6.0","v1.6.0-rc0","v1.6.0-rc1","v1.6.0-rc2","v1.6.0-rc3","v1.6.1","v1.6.1-rc1","v1.6.1-rc2","v1.6.1-rc3","v1.6.1-rc4","v1.6.2","v1.6.2-rc0","v1.6.2-rc1","v1.6.2-rc2","v1.6.3","v1.6.3-rc0","v1.6.3-rc1","v1.6.3-rc2","v1.6.3-rc3","v1.6.3-rc4","v1.6.4","v1.6.4-rc0","v1.6.4-rc1","v1.6.4-rc2","v1.6.4-rc3","v1.6.5","v1.6.5-rc0","v1.6.5-rc1","v1.6.5-rc2","v1.6.5-rc3","v1.6.6","v1.6.6-rc0","v1.6.6-rc1","v1.6.6-rc2","v1.6.6-rc3","v1.6.6-rc4","v1.7.0","v1.7.0-rc0","v1.7.0-rc1","v1.7.0-rc2","v1.7.1","v1.7.1-rc0","v1.7.1-rc1","v1.7.1-rc2","v1.7.10","v1.7.10-rc0","v1.7.10-rc1","v1.7.10-rc2","v1.7.10-rc3","v1.7.10-rc4","v1.7.11","v1.7.11-rc0","v1.7.11-rc1","v1.7.11-rc2","v1.7.11-rc3","v1.7.12","v1.7.12-rc0","v1.7.12-rc1","v1.7.12-rc2","v1.7.12-rc3","v1.7.2","v1.7.2-rc0","v1.7.2-rc1","v1.7.2-rc2","v1.7.2-rc3","v1.7.3","v1.7.3-rc0","v1.7.3-rc1","v1.7.3-rc2","v1.7.3.1","v1.7.4","v1.7.4-rc0","v1.7.4-rc1","v1.7.4-rc2","v1.7.4-rc3","v1.7.5","v1.7.5-rc0","v1.7.5-rc1","v1.7.5-rc2","v1.7.5-rc3","v1.7.6","v1.7.6-rc0","v1.7.6-rc1","v1.7.6-rc2","v1.7.6-rc3","v1.7.7","v1.7.7-rc0","v1.7.7-rc1","v1.7.7-rc2","v1.7.7-rc3","v1.7.8","v1.7.8-rc0","v1.7.8-rc1","v1.7.8-rc2","v1.7.8-rc3","v1.7.8-rc4","v1.7.9","v1.7.9-rc0","v1.7.9-rc1","v1.7.9-rc2","v1.8.0","v1.8.0-rc0","v1.8.0-rc1","v1.8.0-rc2","v1.8.0-rc3","v1.8.1","v1.8.1-rc0","v1.8.1-rc1","v1.8.1-rc2","v1.8.1-rc3","v1.8.2","v1.8.2-rc0","v1.8.2-rc1","v1.8.2-rc2","v1.8.2-rc3","v1.8.3","v1.8.3-rc0","v1.8.3-rc1","v1.8.3-rc2","v1.8.3-rc3","v1.8.4","v1.8.4-rc0","v1.8.4-rc1","v1.8.4-rc2","v1.8.4-rc3","v1.8.4-rc4","v1.8.5","v1.8.5-rc0","v1.8.5-rc1","v1.8.5-rc2","v1.8.5-rc3","v1.9-rc0","v1.9-rc1","v1.9-rc2","v1.9.0","v1.9.0-rc3","v2.0.0","v2.0.0-rc0","v2.0.0-rc1","v2.0.0-rc2","v2.0.0-rc3","v2.0.0-rc4","v2.1.0","v2.1.0-rc0","v2.1.0-rc1","v2.1.0-rc2","v2.10.0","v2.10.0-rc0","v2.10.0-rc1","v2.10.0-rc2","v2.10.1","v2.10.2","v2.10.3","v2.10.4","v2.11.0","v2.11.0-rc0","v2.11.0-rc1","v2.11.0-rc2","v2.11.0-rc3","v2.11.1","v2.11.2","v2.11.3","v2.12.0","v2.12.0-rc0","v2.12.0-rc1","v2.12.0-rc2","v2.12.1","v2.12.2","v2.12.3","v2.12.4","v2.13.0","v2.13.0-rc0","v2.13.0-rc1","v2.13.0-rc2","v2.13.1","v2.13.2","v2.13.3","v2.13.4","v2.13.5","v2.14.0","v2.14.0-rc0","v2.14.0-rc1","v2.14.1","v2.2.0","v2.2.0-rc0","v2.2.0-rc1","v2.2.0-rc2","v2.2.0-rc3","v2.3.0","v2.3.0-rc0","v2.3.0-rc1","v2.3.0-rc2","v2.4.0","v2.4.0-rc0","v2.4.0-rc1","v2.4.0-rc2","v2.4.0-rc3","v2.5.0","v2.5.0-rc0","v2.5.0-rc1","v2.5.0-rc2","v2.5.0-rc3","v2.6.0","v2.6.0-rc0","v2.6.0-rc1","v2.6.0-rc2","v2.6.0-rc3","v2.7.0","v2.7.0-rc0","v2.7.0-rc1","v2.7.0-rc2","v2.7.0-rc3","v2.8.0","v2.8.0-rc0","v2.8.0-rc1","v2.8.0-rc2","v2.8.0-rc3","v2.8.0-rc4","v2.9.0","v2.9.0-rc0","v2.9.0-rc1","v2.9.0-rc2","v2.9.1","v2.9.2","v2.9.3"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-14867.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}