Incorrect Permission Assignment for Critical Resource in mercurial

Do your applications use this vulnerable package? Test your applications

Overview

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and consequently execute arbitrary code, by using --debugger as a repository name.

References

CONFIRM
CONFIRM
Debian Bug Report
Debian Security Advisory
Debian Security Announcement
Debian Security Tracker
Gentoo Security Advisory
RHSA Security Advisory
Security Focus
Ubuntu CVE Tracker

Attack Vector

Network
Attack Complexity

Low
Privileges Required

Low
User Interaction

None
Scope

Unchanged
Confidentiality

High
Integrity

High
Availability

High

CVE: CVE-2017-9462
CWE: CWE-732
Snyk ID: SNYK-DEBIAN8-MERCURIAL-311093
Disclosed: 06 Jun, 2017
Published: 06 Jun, 2017

Incorrect Permission Assignment for Critical Resource
Affecting mercurial package, versions <3.1.2-2+deb8u5

Overview

References

CVSS Score

Incorrect Permission Assignment for Critical Resource Affecting mercurial package, versions <3.1.2-2+deb8u5

Overview

References

Incorrect Permission Assignment for Critical Resource
Affecting mercurial package, versions <3.1.2-2+deb8u5