Synology-SA-17:41 Git Server

2017-08-15 16:10:00

Severity
Moderate
Status
Ongoing

Abstract

CVE-2017-1000117 allows attackers to execute arbitrary commands on a vulnerable version of Git.

Severity

Affected

  • Products
    • Git Server before 2.11.3-0116
  • Models
    • All Synology models

Description

A shell command injection flaw related to the handling of "ssh" URLs has been discovered in Git. An attacker could use this flaw to execute shell commands with the privileges of the user running the Git client, for example, when performing a "clone" action on a malicious repository or a legitimate repository containing a malicious commit.

Mitigation

None

Update Availability

Synology will soon release the updates for affected products.

Reference