Synology-SA-17:41 Git Server
Publish Time: 2017-08-15 00:00:00 UTC+8
Last Updated: 2017-10-06 17:22:33 UTC+8
CVE-2017-1000117 allows attackers to execute arbitrary commands on a vulnerable version of Git.
- Impact: Moderate
- CVSS3 Base Score: 4.8
- CVSS3 Base Metrics: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
- Git Server before 2.11.3-0116
- All Synology models
A shell command injection flaw related to the handling of "ssh" URLs has been discovered in Git. An attacker could use this flaw to execute shell commands with the privileges of the user running the Git client, for example, when performing a "clone" action on a malicious repository or a legitimate repository containing a malicious commit.
To fix the security issue, please go to DSM > Package Center and update Git Server to 2.11.3-0116 or above.