{
  "threat_severity" : "Moderate",
  "public_date" : "2017-05-05T00:00:00Z",
  "bugzilla" : {
    "description" : "git: Escape out of git-shell",
    "id" : "1450407",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1450407"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.0",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
    "status" : "verified"
  },
  "details" : [ "git-shell in git before 2.4.12, 2.5.x before 2.5.6, 2.6.x before 2.6.7, 2.7.x before 2.7.5, 2.8.x before 2.8.5, 2.9.x before 2.9.4, 2.10.x before 2.10.3, 2.11.x before 2.11.2, and 2.12.x before 2.12.3 might allow remote authenticated users to gain privileges via a repository name that starts with a - (dash) character.", "A flaw was found in the way git-shell handled command-line options for the restricted set of git-shell commands. A remote, authenticated attacker could use this flaw to bypass git-shell restrictions, to view and manipulate files, by abusing the instance of the less command launched using crafted command-line options." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2017-08-01T00:00:00Z",
    "advisory" : "RHSA-2017:2004",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7",
    "package" : "git-0:1.8.3.1-11.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6",
    "release_date" : "2017-08-17T00:00:00Z",
    "advisory" : "RHSA-2017:2491",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el6",
    "package" : "rh-git29-git-0:2.9.3-3.el6"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7",
    "release_date" : "2017-08-17T00:00:00Z",
    "advisory" : "RHSA-2017:2491",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el7",
    "package" : "rh-git29-git-0:2.9.3-3.el7"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Will not fix",
    "package_name" : "git",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2017-8386\nhttps://nvd.nist.gov/vuln/detail/CVE-2017-8386" ],
  "name" : "CVE-2017-8386",
  "csaw" : false
}