Synology-SA-17:41 Git Server
CVE-2017-1000117 allows attackers to execute arbitrary commands on a vulnerable version of Git.
- Impact: Moderate
- CVSS3 Base Score: 4.8
- CVSS3 Base Metrics: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
- Git Server before 2.11.3-0116
- All Synology models
A shell command injection flaw related to the handling of "ssh" URLs has been discovered in Git. An attacker could use this flaw to execute shell commands with the privileges of the user running the Git client, for example, when performing a "clone" action on a malicious repository or a legitimate repository containing a malicious commit.
Synology will soon release the updates for affected products.