The bug occurs when
bash gets executed with a specially crafted environment variable.
Remote exploitation over
SSH is only possible when
bash is executed. When the
ForceCommand SSH option is in use, that command always gets executed using the login shell of the authenticated user (see the manual page of
Vulnerable configurations include public git services which normally restrict you to just running git commands. With this bug, you would be able to execute shell commands, bypassing the
ForceCommand restriction. For a git daemon service, this could mean that you can access all repositories owned by the system user (bypassing access restrictions imposed by, say,