edit-icon download-icon

[Vulnerability notice] CVE-2017-1000117/1000116/9800: Remote command execution vulnerability in Git, Mercurial, and Apache Subversion (SVN)

Last Updated: Apr 02, 2018

Recently, the latest patches were released for three mainstream version control systems, Git, Mercurial, and Subversion (SVN), to fix a client code execution vulnerability.

Attackers send a crafted ssh:// URL to the target host. When the target host accesses this URL, the vulnerability is triggered and malicious code is executed.

This vulnerability was detected and reported by Brian Neel from GitLab, Joan Schneeweiss from Recurity Labs, and Jeff King from GitHub.

See the following for more information about the vulnerability.


CVE identifier

  • CVE-2017-1000117 (Git)
  • CVE-2017-1000116 (Mercurial)
  • CVE-2017-9800 (Apache Subversion)

Vulnerability name

Remote command execution vulnerability in Git, Mercurial, and Apache Subversion (SVN)

Vulnerability rating

High

Vulnerability description

The attacker sends a crafted ssh://... to the target host. When the target host accesses this URL, the malicious command starts to run on the client, causing the host permission to be stolen.

Condition and method of exploitation

This vulnerability can be exploited through remote phishing.

Affected scope

  • Git

    • Git v2.7.6
    • Git v2.8.6
    • Git v2.9.5
    • Git v2.10.4
    • Git v2.11.3
    • Git v2.12.4
    • Git v2.13.5
  • Apache Subversion

    • Apache Subversion clients 1.0.0 through 1.8.18 (inclusive)
    • Apache Subversion clients 1.9.0 through 1.9.6 (inclusive)
    • Apache Subversion client 1.10.0-alpha3
  • Mercurial < 4.3

Vulnerability detection

Check whether any affected version is used.

How to fix or mitigate

  • Git: Upgrade to Git v2.14.1.

  • Mercurial: Upgrade to Mercurial 4.3 and 4.2.3.

  • Apache Subversion: Upgrade to Subversion 1.8.19 or Subversion 1.9.7.

Reference

[1]. https://about.gitlab.com/2017/08/10/gitlab-9-dot-4-dot-4-released/

Thank you! We've received your feedback.