CVE-2017-1000117

Name: CVE-2017-1000117
Creator: NVD / NIST
Published: 2017-10-05T01:29:04.65+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

UnknownEPSS 77.82%

Last modified Jun 17, 2026

CVE-2017-1000117 is a vulnerability of currently unknown severity. A malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL can result in any program that exists on the victim's machine being executed. Such a URL could be placed in the .gitmodules file of a malicious project, and an unsuspecting victim could be tricked into running "git clone --recurse-submodules" to trigger the vulnerability.. EPSS estimates a 77.82% chance of exploitation in the next 30 days.

Description

A malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL can result in any program that exists on the victim's machine being executed. Such a URL could be placed in the .gitmodules file of a malicious project, and an unsuspecting victim could be tricked into running "git clone --recurse-submodules" to trigger the vulnerability.

Metrics

EPSS Probability

77.82%

99.5th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-601

Affected Software

Vendor	Product	Versions
Git-Scm	Git	<= 2.7.5
Git-Scm	Git	2.8.0
Git-Scm	Git	2.8.1
Git-Scm	Git	2.8.2
Git-Scm	Git	2.8.3
Git-Scm	Git	2.8.4
Git-Scm	Git	2.8.5
Git-Scm	Git	2.9.0
Git-Scm	Git	2.9.1
Git-Scm	Git	2.9.2
Git-Scm	Git	2.9.3
Git-Scm	Git	2.9.4
Git-Scm	Git	2.10.0
Git-Scm	Git	2.10.1
Git-Scm	Git	2.10.2
Git-Scm	Git	2.10.3
Git-Scm	Git	2.11.0
Git-Scm	Git	2.11.1
Git-Scm	Git	2.11.2
Git-Scm	Git	2.12.0
Git-Scm	Git	2.12.1
Git-Scm	Git	2.12.2
Git-Scm	Git	2.12.3
Git-Scm	Git	2.13.0
Git-Scm	Git	2.13.1
Git-Scm	Git	2.13.2
Git-Scm	Git	2.13.3
Git-Scm	Git	2.13.4
Git-Scm	Git	2.14.0

References

http://www.debian.org/security/2017/dsa-3934
http://www.securityfocus.com/bid/100283Third Party Advisory, VDB Entry
http://www.securitytracker.com/id/1039131Third Party Advisory, VDB Entry
https://access.redhat.com/errata/RHSA-2017:2484
https://access.redhat.com/errata/RHSA-2017:2485
https://access.redhat.com/errata/RHSA-2017:2491
https://access.redhat.com/errata/RHSA-2017:2674
https://access.redhat.com/errata/RHSA-2017:2675
https://security.gentoo.org/glsa/201709-10Third Party Advisory, VDB Entry
https://support.apple.com/HT208103Third Party Advisory
https://www.exploit-db.com/exploits/42599/Third Party Advisory, VDB Entry
https://www.mail-archive.com/linux-kernel%40vger.kernel.org/msg1466490.html
http://www.debian.org/security/2017/dsa-3934
http://www.securityfocus.com/bid/100283Third Party Advisory, VDB Entry
http://www.securitytracker.com/id/1039131Third Party Advisory, VDB Entry
https://access.redhat.com/errata/RHSA-2017:2484
https://access.redhat.com/errata/RHSA-2017:2485
https://access.redhat.com/errata/RHSA-2017:2491
https://access.redhat.com/errata/RHSA-2017:2674
https://access.redhat.com/errata/RHSA-2017:2675
https://security.gentoo.org/glsa/201709-10Third Party Advisory, VDB Entry
https://support.apple.com/HT208103Third Party Advisory
https://www.exploit-db.com/exploits/42599/Third Party Advisory, VDB Entry
https://www.mail-archive.com/linux-kernel%40vger.kernel.org/msg1466490.html

Timeline

Published: Oct 5, 2017
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2017-1000117?

How severe is CVE-2017-1000117?

Severity scoring for CVE-2017-1000117 is pending analysis. The EPSS model estimates a 77.82% probability of exploitation in the next 30 days.

How do I fix CVE-2017-1000117?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2017-1000117?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST