Synology-SA-17:41 Git Server

Publish Time: 2017-08-15 00:00:00 UTC+8

Last Updated: 2017-10-06 17:22:33 UTC+8

Severity: Moderate

Status: Resolved

Abstract

CVE-2017-1000117 allows attackers to execute arbitrary commands on a vulnerable version of Git.

Severity

Impact: Moderate
CVSS3 Base Score: 4.8
CVSS3 Base Metrics: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

Affected

Products
- Git Server before 2.11.3-0116
Models
- All Synology models

Description

A shell command injection flaw related to the handling of "ssh" URLs has been discovered in Git. An attacker could use this flaw to execute shell commands with the privileges of the user running the Git client, for example, when performing a "clone" action on a malicious repository or a legitimate repository containing a malicious commit.

Mitigation

None

Update Availability

To fix the security issue, please go to DSM > Package Center and update Git Server to 2.11.3-0116 or above.

Reference

https://access.redhat.com/security/cve/cve-2017-1000117
http://seclists.org/oss-sec/2017/q3/280