{"id":"CVE-2017-8386","details":"git-shell in git before 2.4.12, 2.5.x before 2.5.6, 2.6.x before 2.6.7, 2.7.x before 2.7.5, 2.8.x before 2.8.5, 2.9.x before 2.9.4, 2.10.x before 2.10.3, 2.11.x before 2.11.2, and 2.12.x before 2.12.3 might allow remote authenticated users to gain privileges via a repository name that starts with a - (dash) character.","modified":"2026-04-16T06:15:29.971532999Z","published":"2017-06-01T16:29:00.450Z","related":["SUSE-SU-2017:1357-1","SUSE-SU-2017:1432-1","openSUSE-SU-2024:10786-1"],"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DPYRN7APMHY4ZFDPAKD22J5R4QJFY2JP/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FDS3LSJJ3YGGQYIVPKQDVOCXWDSF6JGF/"},{"type":"WEB","url":"http://public-inbox.org/git/xmqq8tm5ziat.fsf%40gitster.mtv.corp.google.com/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3ISHYFLM2ACYHHY3JHCLF75X7UF4ZMDM/"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-updates/2017-05/msg00090.html"},{"type":"ADVISORY","url":"http://www.securitytracker.com/id/1038479"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2017:2004"},{"type":"ADVISORY","url":"https://insinuator.net/2017/05/git-shell-bypass-by-abusing-less-cve-2017-8386/"},{"type":"ADVISORY","url":"https://kernel.googlesource.com/pub/scm/git/git/+/3ec804490a265f4c418a321428c12f3f18b7eff5"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/201706-04"},{"type":"ADVISORY","url":"http://www.debian.org/security/2017/dsa-3848"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/98409"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2017:2491"},{"type":"EVIDENCE","url":"http://www.ubuntu.com/usn/USN-3287-1"}],"affected":[{"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-8386.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"42.1"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.04"}]},{"events":[{"introduced":"0"},{"last_affected":"16.04"}]},{"events":[{"introduced":"0"},{"last_affected":"16.10"}]},{"events":[{"introduced":"0"},{"last_affected":"17.04"}]},{"events":[{"introduced":"0"},{"last_affected":"24"}]},{"events":[{"introduced":"0"},{"last_affected":"25"}]},{"events":[{"introduced":"0"},{"last_affected":"26"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}