{"id":"GO-2021-0073","summary":"Arbitrary command execution in github.com/git-lfs/git-lfs","details":"Arbitrary command execution can be triggered by improperly sanitized SSH URLs in LFS configuration files. This can be triggered by cloning a malicious repository.","aliases":["CVE-2017-17831","GHSA-w4xh-w33p-4v29"],"modified":"2026-03-17T04:05:46.878462Z","published":"2021-04-14T20:04:52Z","database_specific":{"url":"https://pkg.go.dev/vuln/GO-2021-0073","review_status":"REVIEWED"},"references":[{"type":"FIX","url":"https://github.com/git-lfs/git-lfs/pull/2241"},{"type":"FIX","url":"https://github.com/git-lfs/git-lfs/commit/f913f5f9c7c6d1301785fdf9884a2942d59cdf19"},{"type":"WEB","url":"http://blog.recurity-labs.com/2017-08-10/scm-vulns"},{"type":"WEB","url":"https://confluence.atlassian.com/sourcetreekb/sourcetree-security-advisory-2018-01-24-942834324.html"}],"affected":[{"package":{"name":"github.com/git-lfs/git-lfs","ecosystem":"Go","purl":"pkg:golang/github.com/git-lfs/git-lfs"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"2.1.1-0.20170519163204-f913f5f9c7c6+incompatible"}]}],"ecosystem_specific":{"imports":[{"symbols":["Client.NewRequest","sshAuthClient.Resolve","sshCache.Resolve","sshGetLFSExeAndArgs"],"path":"github.com/git-lfs/git-lfs/lfsapi"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2021-0073.json"}}],"schema_version":"1.7.5"}