CVE-2017-12426

NameCVE-2017-12426
DescriptionGitLab Community Edition (CE) and Enterprise Edition (EE) before 8.17.8, 9.0.x before 9.0.13, 9.1.x before 9.1.10, 9.2.x before 9.2.10, 9.3.x before 9.3.10, and 9.4.x before 9.4.4 might allow remote attackers to execute arbitrary code via a crafted SSH URL in a project import.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium (attack range: remote)
Debian Bugs872190

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
gitlab (PTS)sid/contrib10.8.7+dfsg-1vulnerable
stretch (security), stretch8.13.11+dfsg1-8+deb9u3vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
gitlabsource(unstable)(unfixed)unimportant872190

Notes

https://gitlab.com/gitlab-org/gitlab-ce/issues/35212
The fix for git for CVE-2017-1000117 mitgates the issue in gitlab itself.
The CVE is for the issue when importing a project via crafted SSH URLs,
which becomes ineffective with a fixed git version itself.

Search for package or bug name: Reporting problems