8.8 / 10
HIGH
HIGH
A malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL can result in any program that exists on the victim's machine being executed. Such a URL could be placed in the .gitmodules file of a malicious project, and an unsuspecting victim could be tricked into running "git clone --recurse-submodules" to trigger the vulnerability.
Weakness: URL Redirection to Untrusted Site ('Open Redirect')
A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.
Published: 2017-10-05
Community Advisory
CVE-2017-1000117 Exploits (25)
- greymd/CVE-2017-1000117 ( 136)
- Manouchehri/CVE-2017-1000117 ( 16)
- timwr/CVE-2017-1000117 ( 6)
- VulApps/CVE-2017-1000117 ( 4)
- ieee0824/CVE-2017-1000117 ( 3)
- AnonymKing/CVE-2017-1000117 ( 1)
- sasairc/CVE-2017-1000117_wasawasa ( 1)
- nkoneko/CVE-2017-1000117 ( 1)
- Shadow5523/CVE-2017-1000117-test
- ieee0824/CVE-2017-1000117-sl
Show all exploits (+15):
- ikmski/CVE-2017-1000117
- rootclay/CVE-2017-1000117
- leezp/CVE-2017-1000117
- shogo82148/Fix-CVE-2017-1000117
- siling2017/CVE-2017-1000117
- Q2h1Cg/CVE-2017-1000117
- rapid7/metasploit-framework/modules/exploits/multi/http/git_submodule_command_exec.rb
- 42599
- thelastbyte/CVE-2017-1000117
- GrahamMThomas/test-git-vuln_CVE-2017-1000117
- bells17/CVE-2017-1000117
- takehaya/CVE-2017-1000117
- cved-sources/cve-2017-1000117
- alilangtest/CVE-2017-1000117
- chenzhuo0618/test
Official CVE References
View references (12)
- debian.org/security/2017/dsa-3934
- securityfocus.com/bid/100283
- securitytracker.com/id/1039131
- redhat.com/errata/RHSA-2017:2484
- redhat.com/errata/RHSA-2017:2485
- redhat.com/errata/RHSA-2017:2491
- redhat.com/errata/RHSA-2017:2674
- redhat.com/errata/RHSA-2017:2675
- gentoo.org/glsa/201709-10
- apple.com/HT208103
- 42599
- mail-archive.com/[email protected]/msg1466490.html