OS Command Injection in mercurial

Do your applications use this vulnerable package? Test your applications

Overview

In Mercurial before 4.4.1, it is possible that a specially malformed repository can cause Git subrepositories to run arbitrary code in the form of a .git/hooks/post-update script checked into the repository. Typical use of Mercurial prevents construction of such repositories, but they can be created programmatically.

References

CONFIRM
Debian Security Announcement
Debian Security Announcement
Debian Security Announcement
Debian Security Tracker
MISC
MISC
MISC
MLIST
Security Focus
Ubuntu CVE Tracker

Attack Vector

Network
Attack Complexity

Low
Privileges Required

None
User Interaction

None
Scope

Unchanged
Confidentiality

High
Integrity

High
Availability

High

CVE: CVE-2017-17458
CWE: CWE-78
Snyk ID: SNYK-DEBIAN9-MERCURIAL-311070
Disclosed: 07 Dec, 2017
Published: 07 Dec, 2017

OS Command Injection
Affecting mercurial package, versions <4.0-1+deb9u2

Overview

References

CVSS Score

OS Command Injection Affecting mercurial package, versions <4.0-1+deb9u2

Overview

References

OS Command Injection
Affecting mercurial package, versions <4.0-1+deb9u2