{"id":"HSEC-2023-0009","summary":"git-annex command injection via malicious SSH hostname","details":"# *git-annex* command injection via malicious SSH hostname\n\n*git-annex* was vulnerable to the same class of security hole as\ngit's **CVE-2017-1000117**. In several cases, `git-annex` parses a\nrepository URL, and uses it to generate a `ssh` command, with the\nhostname to ssh to coming from the URL. If the hostname it parses is\nsomething like `-eProxyCommand=evil`, this could result in arbitrary\nlocal code execution.\n\nSome details of URL parsing may prevent the exploit working in some\ncases.\n\nExploiting this would involve the attacker tricking the victim into\nadding a remote something like `ssh://-eProxyCommand=evil/blah`.\n\nOne possible avenue for an attacker that avoids exposing the URL to\nthe user is to use `initremote` with an SSH remote, so embedding the\nURL in the *git-annex* branch. Then the victim would enable it with\n`enableremote`.\n\nThis was fixed in version **6.20170818**. Now there's a `SshHost`\ntype that is not allowed to start with a dash, and every invocation\nof `git-annex` uses a function that takes a `SshHost`.\n","aliases":["CVE-2017-12976"],"modified":"2026-01-30T01:07:55.588571Z","published":"2025-11-14T14:45:34Z","related":["CVE-2017-1000116","CVE-2017-1000117","CVE-2017-12836","CVE-2017-9800"],"database_specific":{"osvs":"https://raw.githubusercontent.com/haskell/security-advisories/refs/heads/generated/osv-export","repository":"https://github.com/haskell/security-advisories","home":"https://github.com/haskell/security-advisories"},"references":[{"type":"ADVISORY","url":"https://git-annex.branchable.com/security/CVE-2017-12976/"},{"type":"FIX","url":"http://source.git-annex.branchable.com/?p=source.git;a=commitdiff;h=df11e54788b254efebb4898b474de11ae8d3b471"}],"affected":[{"package":{"name":"git-annex","ecosystem":"Hackage","purl":"pkg:hackage/git-annex"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.20170818"}]}],"versions":["3.20110702","3.20110702.2","3.20110705","3.20110707","3.20110819","3.20110902","3.20110906","3.20110915","3.20110928","3.20111011","3.20111122","3.20111203","3.20111211","3.20111231","3.20120113","3.20120115","3.20120116","3.20120123","3.20120227","3.20120229","3.20120230","3.20120309","3.20120315","3.20120405","3.20120406","3.20120418","3.20120430","3.20120511","3.20120522","3.20120605","3.20120611","3.20120614","3.20120615","3.20120624","3.20120629","3.20120721","3.20120807","3.20120825","3.20120924","3.20121001","3.20121009","3.20121010","3.20121016","3.20121017","3.20121112","3.20121126","3.20121127","3.20121127.1","3.20121211","3.20130102","3.20130105","3.20130107","3.20130114","3.20130124","3.20130207","3.20130216.1","4.20130227","4.20130314","4.20130323","4.20130405","4.20130417","4.20130501","4.20130501.1","4.20130516","4.20130521","4.20130521.1","4.20130521.2","4.20130601","4.20130627","4.20130709","4.20130723","4.20130802","4.20130815","4.20130827","4.20130909","4.20130920","4.20130927","4.20131002","4.20131024","4.20131101","4.20131106","5.20131118","5.20131120","5.20131127","5.20131130","5.20131213","5.20131221","5.20131230","5.20140107","5.20140108","5.20140116","5.20140127","5.20140129","5.20140210","5.20140221","5.20140227","5.20140306","5.20140320","5.20140402","5.20140405","5.20140412","5.20140421","5.20140517","5.20140529","5.20140606","5.20140613","5.20140707","5.20140709","5.20140717","5.20140817","5.20140831","5.20140915","5.20140919","5.20140926","5.20140927","5.20141013","5.20141024","5.20141125","5.20141203","5.20141219","5.20141231","5.20150113","5.20150205","5.20150219","5.20150317","5.20150327","5.20150406","5.20150406.1","5.20150409","5.20150420","5.20150508","5.20150508.1","5.20150522","5.20150528","5.20150617","5.20150710","5.20150727","5.20150731","5.20150812","5.20150824","5.20150916","5.20150930","5.20151019","5.20151102","5.20151102.1","5.20151116","5.20151208","5.20151218","6.20160114","6.20160126","6.20160211","6.20160229","6.20160318","6.20160412","6.20160418","6.20160419","6.20160511","6.20160527","6.20160613","6.20160619","6.20160808","6.20160907","6.20160923","6.20161012","6.20161027","6.20161031","6.20161111","6.20161118","6.20161210","6.20170101","6.20170214","6.20170301","6.20170301.1","6.20170321","6.20170510","6.20170519","6.20170520"],"database_specific":{"osv":"https://raw.githubusercontent.com/haskell/security-advisories/refs/heads/generated/osv-export/2023/HSEC-2023-0009.json","human_link":"https://github.com/haskell/security-advisories/tree/main/advisories/published/2023/HSEC-2023-0009.md","source":"https://github.com/haskell/security-advisories/blob/generated/osv-export/2023/HSEC-2023-0009.json"},"severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}],"schema_version":"1.7.3"}