CVE-2014-9462 — Improper Input Validation in Mercurial

CWE-20 — Improper Input Validation9 documents7 sources

Severity

7.5HIGHNVD

EPSS

1.1%

top 21.67%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mercurial Debian Mercurial Opensuse

Timeline

PublishedMar 31

Latest updateMay 14

Description

The _validaterepo function in sshpeer in Mercurial before 3.2.4 allows remote attackers to execute arbitrary commands via a crafted repository name in a clone command.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages5 packages

▶debiandebian/mercurial< mercurial 3.4-1 (bookworm)

▶PyPImercurial/mercurial< 3.2.4

▶Debianmercurial/mercurial< 3.4-1+3

▶NVDmercurial/mercurial3.2.3

▶NVDopensuse/opensuse13.1, 13.2+1

🔴Vulnerability Details

GHSA

Mercurial vulnerable to arbitrary command execution via a crafted repository name in a clone command↗2022-05-14

▶

OSV

Mercurial vulnerable to arbitrary command execution via a crafted repository name in a clone command↗2022-05-14

▶

OSV

CVE-2014-9462: The _validaterepo function in sshpeer in Mercurial before 3↗2015-03-31

▶

CVEList

CVE-2014-9462: The _validaterepo function in sshpeer in Mercurial before 3↗2015-03-31

▶

📋Vendor Advisories

Red Hat

mercurial: command Injection via sshpeer._validaterepo()↗2014-12-29

▶

Debian

CVE-2014-9462: mercurial - The _validaterepo function in sshpeer in Mercurial before 3.2.4 allows remote at...↗2014

▶

💬Community

Bugzilla

CVE-2014-9462 mercurial: command Injection via sshpeer._validaterepo() [fedora-all]↗2015-03-23

▶

Bugzilla

CVE-2014-9462 mercurial: command Injection via sshpeer._validaterepo()↗2015-03-23

▶