VIR Vulnerability Intelligence Relay

CVE-2017-1000117

high
Published 2017-10-05 · Modified 2026-05-13
CVSS v3
8.8
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS v2
6.8
VIR risk
8.8

Description

A malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL can result in any program that exists on the victim's machine being executed. Such a URL could be placed in the .gitmodules file of a malicious project, and an unsuspecting victim could be tricked into running "git clone --recurse-submodules" to trigger the vulnerability.

Predictions

Exploit likelihood
92%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2017-1000117

vendor Authored 2026-05-27

Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2017-1000117.html

vendor Authored 2026-05-27

Vendor advisory: arch — https://security.archlinux.org/ASA-201708-6

OS impact
OSVersionStatusFixed in
arch archfixed2.14.1-1
suse slesaffected
debian debianbookwormfixed1:2.14.1-1
debian debianbullseyefixed1:2.14.1-1
debian debianforkyfixed1:2.14.1-1
debian debiansidfixed1:2.14.1-1
debian debiantrixiefixed1:2.14.1-1

Application impact
VendorProductVersionsFixed
git-scmgit{"endIncluding":"2.7.5"}
git-scmgit2.8.0
git-scmgit2.8.1
git-scmgit2.8.2
git-scmgit2.8.3
git-scmgit2.8.4
git-scmgit2.8.5
git-scmgit2.9.0
git-scmgit2.9.1
git-scmgit2.9.2
git-scmgit2.9.3
git-scmgit2.9.4
git-scmgit2.10.0
git-scmgit2.10.1
git-scmgit2.10.2
git-scmgit2.10.3
git-scmgit2.11.0
git-scmgit2.11.1
git-scmgit2.11.2
git-scmgit2.12.0
git-scmgit2.12.1
git-scmgit2.12.2
git-scmgit2.12.3
git-scmgit2.13.0
git-scmgit2.13.1
git-scmgit2.13.2
git-scmgit2.13.3
git-scmgit2.13.4
git-scmgit2.14.0

References

CWEs

CWE-601

Verify integrity in audit chain (admin only). AS-IS.