ALPINE-CVE-2017-1000117

ALPINE-CVE-2017-1000117 PUBLISHED CVSS 8.800000190734863 HIGH

A malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL can result in any program that exists on the victim's machine being executed. Such a URL could be placed in the .gitmodules file of a malicious project, and an unsuspecting victim could be tricked into running "git clone --recurse-submodules" to trigger the vulnerability.

Risk Scores

CVSS v3.0

8.800000190734863

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

Vendor	Product	Versions
Alpine:v3.14	git	2.3.5-r0, 2.9.3-r0, 2.9.2-r0
Alpine:v3.13	git	1.7.5.4-r0, 2.9.3-r0, 1.7.0.2-r0
Alpine:v3.9	git	2.0.2-r0, 2.0.3-r0, 2.0.4-r0
Alpine:v3.3	git	1.7.12.1-r0, 2.6.7-r0, 2.6.6-r0
Alpine:v3.7	git	1.7.3.5-r1, 1.8.1.1-r0, 1.8.2-r0
Alpine:v3.4	git	2.0.1-r0, 2.0.0-r0, 1.9.3-r0
Alpine:v3.18	git	1.6.0.4-r2, 1.7.11.4-r0, 1.7.11.3-r0
Alpine:v3.23	git	1.7.5.3-r0, 1.7.7.1-r0, 1.7.9.4-r0
Alpine:v3.15	git	1.8.2-r0, 1.8.1.3-r0, 1.8.1.2-r0
Alpine:v3.17	git	1.6.2.3-r0, 0, 1.6.0.4-r1
Alpine:v3.10	git	1.8.1.2-r0, 1.8.5.1-r2, 1.8.2-r0
Alpine:v3.21	git	1.7.10-r0, 1.6.0.4-r1, 1.6.0.4-r2
Alpine:v3.6	git	1.6.6.1-r0, 1.7.0.2-r0, 1.7.0.3-r0
Alpine:v3.20	git	1.8.1.2-r0, 1.8.1.3-r0, 1.8.1.4-r0
Alpine:v3.12	git	1.8.5.3-r1, 0, 1.6.0.4-r1
Alpine:v3.22	git	0, 2.9.3-r0, 2.9.2-r0
Alpine:v3.16	git	1.7.3-r0, 1.7.9.5-r0, 1.7.9.1-r0
Alpine:v3.5	git	2.9.3-r0, 2.9.2-r0, 2.9.1-r0
Alpine:v3.19	git	2.13.4-r0, 2.13.3-r1, 2.13.3-r0
Alpine:v3.11	git	1.7.3.3-r0, 2.14.0-r0, 2.14.0-r1

…and 1 more

Timeline

Oct 5, 2017 CVE Published
Dec 3, 2025 CVE Updated
Apr 30, 2026 Distribution Patch

References

https://security.alpinelinux.org/vuln/CVE-2017-1000117 advisory

Open in Interactive Console →