Recently, the latest patches were released for three mainstream version control systems, Git, Mercurial, and Subversion (SVN), to fix a client code execution vulnerability.
Attackers send a crafted
ssh:// URL to the target host. When the target host accesses this URL, the vulnerability is triggered and malicious code is executed.
This vulnerability was detected and reported by Brian Neel from GitLab, Joan Schneeweiss from Recurity Labs, and Jeff King from GitHub.
See the following for more information about the vulnerability.
- CVE-2017-1000117 (Git)
- CVE-2017-1000116 (Mercurial)
- CVE-2017-9800 (Apache Subversion)
Remote command execution vulnerability in Git, Mercurial, and Apache Subversion (SVN)
The attacker sends a crafted
ssh://... to the target host. When the target host accesses this URL, the malicious command starts to run on the client, causing the host permission to be stolen.
Condition and method of exploitation
This vulnerability can be exploited through remote phishing.
- Git v2.7.6
- Git v2.8.6
- Git v2.9.5
- Git v2.10.4
- Git v2.11.3
- Git v2.12.4
- Git v2.13.5
- Apache Subversion clients 1.0.0 through 1.8.18 (inclusive)
- Apache Subversion clients 1.9.0 through 1.9.6 (inclusive)
- Apache Subversion client 1.10.0-alpha3
Mercurial < 4.3
Check whether any affected version is used.
How to fix or mitigate
Git: Upgrade to Git v2.14.1.
Mercurial: Upgrade to Mercurial 4.3 and 4.2.3.
Apache Subversion: Upgrade to Subversion 1.8.19 or Subversion 1.9.7.