CVE-2017-12836
published 2017-08-24CVE-2017-12836: CVS 1.12.x, when configured to use SSH for remote repositories, might allow remote attackers to execute arbitrary code via a repository URL with a crafted…
PriorityP345high7.5CVSS 3.0
AVNACHPRNUIRSUCHIHAH
EPSS
5.97%
92.4th percentile
CVS 1.12.x, when configured to use SSH for remote repositories, might allow remote attackers to execute arbitrary code via a repository URL with a crafted hostname, as demonstrated by "-oProxyCommand=id;localhost:/bar."
Affected
42 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | bazaar | <= 2.7.0 | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| cvs | cvs | >= 0 < 2:1.12.13+real-24 | 2:1.12.13+real-24 |
| cvs | cvs | >= 0 < 2:1.12.13+real-24 | 2:1.12.13+real-24 |
| cvs | cvs | >= 0 < 2:1.12.13+real-24 | 2:1.12.13+real-24 |
| cvs | cvs | >= 0 < 2:1.12.13+real-24 | 2:1.12.13+real-24 |
| debian | breezy | < breezy 3.0.0~bzr6772-1 (bookworm) | breezy 3.0.0~bzr6772-1 (bookworm) |
| debian | bzr | < breezy 3.0.0~bzr6772-1 (bookworm) | breezy 3.0.0~bzr6772-1 (bookworm) |
| debian | bzr | 0 – 2.7.0 | — |
| debian | cvs | < cvs 2:1.12.13+real-24 (bookworm) | cvs 2:1.12.13+real-24 (bookworm) |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | dulwich | < dulwich 0.18.5-1 (bookworm) | dulwich 0.18.5-1 (bookworm) |
| debian | fossil | < fossil 1:2.4-1 (bookworm) | fossil 1:2.4-1 (bookworm) |
| debian | git-annex | < git-annex 6.20170818-1 (bookworm) | git-annex 6.20170818-1 (bookworm) |
| dulwich_project | dulwich | <= 0.18.4 | — |
| dulwich_project | dulwich | >= 0 < 0.18.5-1 | 0.18.5-1 |
| dulwich_project | dulwich | >= 0 < 0.18.5-1 | 0.18.5-1 |
| dulwich_project | dulwich | >= 0 < 0.18.5-1 | 0.18.5-1 |
| dulwich_project | dulwich | >= 0 < 0.18.5-1 | 0.18.5-1 |
| dulwich_project | dulwich | >= 0 < 0.18.5 | 0.18.5 |
| fossil-scm | fossil | >= 0 < 1:2.4-1 | 1:2.4-1 |
| fossil-scm | fossil | >= 0 < 1:2.4-1 | 1:2.4-1 |
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.05.1MEDIUMAV:N/AC:H/Au:N/C:P/I:P/A:P
ghsa9.8CRITICAL
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-jqcx-qqvc-9wx5: git-annex before 6
ghsa_unreviewed·2022-05-14·CVSS 9.8
CVE-2017-12976 [CRITICAL] CWE-20 GHSA-jqcx-qqvc-9wx5: git-annex before 6
git-annex before 6.20170818 allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, as demonstrated by an ssh://-eProxyCommand= URL, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-1000116, and CVE-2017-1000117.
GHSA
GHSA-gw7c-p8cp-7935: CVS 1
ghsa_unreviewed·2022-05-13
CVE-2017-12836 [HIGH] GHSA-gw7c-p8cp-7935: CVS 1
CVS 1.12.x, when configured to use SSH for remote repositories, might allow remote attackers to execute arbitrary code via a repository URL with a crafted hostname, as demonstrated by "-oProxyCommand=id;localhost:/bar."
GHSA
GHSA-jjxg-hpm7-g95f: Bazaar through 2
ghsa_unreviewed·2022-05-13·CVSS 9.8
CVE-2017-14176 [CRITICAL] GHSA-jjxg-hpm7-g95f: Bazaar through 2
Bazaar through 2.7.0, when Subprocess SSH is used, allows remote attackers to execute arbitrary commands via a bzr+ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-16228, CVE-2017-1000116, and CVE-2017-1000117.
GHSA
GHSA-ff3p-f5xw-q723: http_transport
ghsa_unreviewed·2022-05-13·CVSS 9.8
CVE-2017-17459 [CRITICAL] GHSA-ff3p-f5xw-q723: http_transport
http_transport.c in Fossil before 2.4, when the SSH sync protocol is used, allows user-assisted remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-14176, CVE-2017-16228, CVE-2017-1000116, and CVE-2017-1000117.
OSV
Dulwich RCE Vulnerability
osv·2022-05-13·CVSS 9.8
CVE-2017-16228 [CRITICAL] Dulwich RCE Vulnerability
Dulwich RCE Vulnerability
Dulwich before 0.18.5, when an SSH subprocess is used, allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-1000116, and CVE-2017-1000117.
GHSA
Dulwich RCE Vulnerability
ghsa·2022-05-13·CVSS 9.8
CVE-2017-16228 [CRITICAL] Dulwich RCE Vulnerability
Dulwich RCE Vulnerability
Dulwich before 0.18.5, when an SSH subprocess is used, allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-1000116, and CVE-2017-1000117.
GHSA
Bazaar allows remote attackers to execute arbitrary commands via a bzr+ssh URL with initial dash character in hostname
ghsa·2022-05-13·CVSS 9.8
CVE-2017-14176 [CRITICAL] Bazaar allows remote attackers to execute arbitrary commands via a bzr+ssh URL with initial dash character in hostname
Bazaar allows remote attackers to execute arbitrary commands via a bzr+ssh URL with initial dash character in hostname
Bazaar through 2.7.0, when Subprocess SSH is used, allows remote attackers to execute arbitrary commands via a bzr+ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-16228, CVE-2017-1000116, and CVE-2017-1000117.
OSV
CVE-2017-17459: http_transport
osv·2017-12-07·CVSS 9.8
CVE-2017-17459 [CRITICAL] CVE-2017-17459: http_transport
http_transport.c in Fossil before 2.4, when the SSH sync protocol is used, allows user-assisted remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-14176, CVE-2017-16228, CVE-2017-1000116, and CVE-2017-1000117.
OSV
CVE-2017-14176: Bazaar through 2
osv·2017-11-27·CVSS 9.8
CVE-2017-14176 [CRITICAL] CVE-2017-14176: Bazaar through 2
Bazaar through 2.7.0, when Subprocess SSH is used, allows remote attackers to execute arbitrary commands via a bzr+ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-16228, CVE-2017-1000116, and CVE-2017-1000117.
OSV
CVE-2017-16228: Dulwich before 0
osv·2017-10-29·CVSS 9.8
CVE-2017-16228 [CRITICAL] CVE-2017-16228: Dulwich before 0
Dulwich before 0.18.5, when an SSH subprocess is used, allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-1000116, and CVE-2017-1000117.
OSV
CVE-2017-12836: CVS 1
osv·2017-08-24·CVSS 7.5
CVE-2017-12836 [HIGH] CVE-2017-12836: CVS 1
CVS 1.12.x, when configured to use SSH for remote repositories, might allow remote attackers to execute arbitrary code via a repository URL with a crafted hostname, as demonstrated by "-oProxyCommand=id;localhost:/bar."
OSV
CVE-2017-12976: git-annex before 6
osv·2017-08-20·CVSS 9.8
CVE-2017-12976 [CRITICAL] CVE-2017-12976: git-annex before 6
git-annex before 6.20170818 allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, as demonstrated by an ssh://-eProxyCommand= URL, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-1000116, and CVE-2017-1000117.
Red Hat
python-dulwich: Setting SSH arguments from untrusted URLs allows code execution
vendor_redhat·2017-10-29·CVSS 9.8
CVE-2017-16228 [CRITICAL] CWE-20 python-dulwich: Setting SSH arguments from untrusted URLs allows code execution
python-dulwich: Setting SSH arguments from untrusted URLs allows code execution
Dulwich before 0.18.5, when an SSH subprocess is used, allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-1000116, and CVE-2017-1000117.
Package: python-dulwich (Red Hat OpenStack Platform 11 (Ocata)) - Will not fix
Red Hat
bzr: does not strip bzr+ssh SSH options
vendor_redhat·2017-08-26·CVSS 9.8
CVE-2017-14176 [CRITICAL] CWE-77 bzr: does not strip bzr+ssh SSH options
bzr: does not strip bzr+ssh SSH options
Bazaar through 2.7.0, when Subprocess SSH is used, allows remote attackers to execute arbitrary commands via a bzr+ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-16228, CVE-2017-1000116, and CVE-2017-1000117.
Statement: Red Hat Product Security has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Package: bzr (Red Hat Enterprise Linux 6) - Will not fix
Package: bzr (Red Hat Enterprise Linux 7) - Will not fix
Ubuntu
cvs vulnerability
vendor_ubuntu·2017-08-21
CVE-2017-12836 cvs vulnerability
Title: cvs vulnerability
Summary: cvs could be made run programs as your login if it opened a
specially crafted cvs repository.
Hank Leininger discovered that cvs did not properly handle SSH
for remote repositories. A remote attacker could use this to
construct a cvs repository that when accessed could run arbitrary
code with the privileges of the user.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
cvs: Command injection via malicious ssh URLs
vendor_redhat·2017-08-10·CVSS 7.5
CVE-2017-12836 [HIGH] CWE-77 cvs: Command injection via malicious ssh URLs
cvs: Command injection via malicious ssh URLs
CVS 1.12.x, when configured to use SSH for remote repositories, might allow remote attackers to execute arbitrary code via a repository URL with a crafted hostname, as demonstrated by "-oProxyCommand=id;localhost:/bar."
Statement: Red Hat Product Security has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Package: cvs (Red Hat Enterprise Linux 5) - Will not fix
Package: cvs (Red Hat Enterprise Linux 6) - Will not fix
Package: cvs (Red Hat Enterprise Linux 7) - Will not fix
Debian
CVE-2017-16228: dulwich - Dulwich before 0.18.5, when an SSH subprocess is used, allows remote attackers t...
vendor_debian·2017·CVSS 9.8
CVE-2017-16228 [CRITICAL] CVE-2017-16228: dulwich - Dulwich before 0.18.5, when an SSH subprocess is used, allows remote attackers t...
Dulwich before 0.18.5, when an SSH subprocess is used, allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-1000116, and CVE-2017-1000117.
Scope: local
bookworm: resolved (fixed in 0.18.5-1)
bullseye: resolved (fixed in 0.18.5-1)
forky: resolved (fixed in 0.18.5-1)
sid: resolved (fixed in 0.18.5-1)
trixie: resolved (fixed in 0.18.5-1)
Debian
CVE-2017-12836: cvs - CVS 1.12.x, when configured to use SSH for remote repositories, might allow remo...
vendor_debian·2017·CVSS 7.5
CVE-2017-12836 [HIGH] CVE-2017-12836: cvs - CVS 1.12.x, when configured to use SSH for remote repositories, might allow remo...
CVS 1.12.x, when configured to use SSH for remote repositories, might allow remote attackers to execute arbitrary code via a repository URL with a crafted hostname, as demonstrated by "-oProxyCommand=id;localhost:/bar."
Scope: local
bookworm: resolved (fixed in 2:1.12.13+real-24)
bullseye: resolved (fixed in 2:1.12.13+real-24)
forky: resolved (fixed in 2:1.12.13+real-24)
sid: resolved (fixed in 2:1.12.13+real-24)
trixie: resolved (fixed in 2:1.12.13+real-24)
Debian
CVE-2017-14176: breezy - Bazaar through 2.7.0, when Subprocess SSH is used, allows remote attackers to ex...
vendor_debian·2017·CVSS 9.8
CVE-2017-14176 [CRITICAL] CVE-2017-14176: breezy - Bazaar through 2.7.0, when Subprocess SSH is used, allows remote attackers to ex...
Bazaar through 2.7.0, when Subprocess SSH is used, allows remote attackers to execute arbitrary commands via a bzr+ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-16228, CVE-2017-1000116, and CVE-2017-1000117.
Scope: local
bookworm: resolved (fixed in 3.0.0~bzr6772-1)
bullseye: resolved (fixed in 3.0.0~bzr6772-1)
forky: resolved (fixed in 3.0.0~bzr6772-1)
sid: resolved (fixed in 3.0.0~bzr6772-1)
trixie: resolved (fixed in 3.0.0~bzr6772-1)
Debian
CVE-2017-17459: fossil - http_transport.c in Fossil before 2.4, when the SSH sync protocol is used, allow...
vendor_debian·2017·CVSS 9.8
CVE-2017-17459 [CRITICAL] CVE-2017-17459: fossil - http_transport.c in Fossil before 2.4, when the SSH sync protocol is used, allow...
http_transport.c in Fossil before 2.4, when the SSH sync protocol is used, allows user-assisted remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-14176, CVE-2017-16228, CVE-2017-1000116, and CVE-2017-1000117.
Scope: local
bookworm: resolved (fixed in 1:2.4-1)
bullseye: resolved (fixed in 1:2.4-1)
sid: resolved (fixed in 1:2.4-1)
trixie: resolved (fixed in 1:2.4-1)
Debian
CVE-2017-12976: git-annex - git-annex before 6.20170818 allows remote attackers to execute arbitrary command...
vendor_debian·2017·CVSS 9.8
CVE-2017-12976 [CRITICAL] CVE-2017-12976: git-annex - git-annex before 6.20170818 allows remote attackers to execute arbitrary command...
git-annex before 6.20170818 allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, as demonstrated by an ssh://-eProxyCommand= URL, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-1000116, and CVE-2017-1000117.
Scope: local
bookworm: resolved (fixed in 6.20170818-1)
bullseye: resolved (fixed in 6.20170818-1)
forky: resolved (fixed in 6.20170818-1)
sid: resolved (fixed in 6.20170818-1)
trixie: resolved (fixed in 6.20170818-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2017-16228 python-dulwich: Setting SSH arguments from untrusted URLs allows code execution
bugzilla·2017-11-03·CVSS 9.8
CVE-2017-16228 [CRITICAL] CVE-2017-16228 python-dulwich: Setting SSH arguments from untrusted URLs allows code execution
CVE-2017-16228 python-dulwich: Setting SSH arguments from untrusted URLs allows code execution
Dulwich before 0.18.5, when an SSH subprocess is used, allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-1000116, and CVE-2017-1000117.
Upstream patch:
https://www.dulwich.io/code/dulwich/commit/7116a0cbbda571f7dac863f4b1c00b6e16d6d8d6/
Discussion:
Created python-dulwich tracking bugs for this issue:
Affects: epel-all [bug 1509304]
Affects: fedora-all [bug 1509305]
---
OpenStack reno is the package that requires python-dulwich. However, it does not use the vulnerable function within python-dulwich. The functionality used by reno is for manipulating
Bugzilla
CVE-2017-12976 git-annex: RCE via ssh URL with an initial dash character in the hostname
bugzilla·2017-08-24·CVSS 9.8
CVE-2017-12976 [CRITICAL] CVE-2017-12976 git-annex: RCE via ssh URL with an initial dash character in the hostname
CVE-2017-12976 git-annex: RCE via ssh URL with an initial dash character in the hostname
git-annex before 6.20170818 allows remote attackers to execute
arbitrary commands via an ssh URL with an initial dash character in the
hostname, as demonstrated by an ssh://-eProxyCommand= URL, a related
issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-1000116, and
CVE-2017-1000117.
Upstream patch:
http://source.git-annex.branchable.com/?p=source.git;a=commit;h=df11e54788b254efebb4898b474de11ae8d3b471
Discussion:
Created git-annex tracking bugs for this issue:
Affects: epel-all [bug 1484822]
Affects: fedora-all [bug 1484821]
---
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the d
Bugzilla
CVE-2017-12836 cvs: Command injection via malicious ssh URLs [fedora-all]
bugzilla·2017-08-11·CVSS 7.5
CVE-2017-12836 [HIGH] CVE-2017-12836 cvs: Command injection via malicious ssh URLs [fedora-all]
CVE-2017-12836 cvs: Command injection via malicious ssh URLs [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of
Bugzilla
CVE-2017-12836 cvs: Command injection via malicious ssh URLs
bugzilla·2017-08-11·CVSS 7.5
CVE-2017-12836 [HIGH] CVE-2017-12836 cvs: Command injection via malicious ssh URLs
CVE-2017-12836 cvs: Command injection via malicious ssh URLs
Command injection vulnerability was found in CVS that can be triggered via malicious SSH URLs.
References:
http://www.openwall.com/lists/oss-security/2017/08/11/1
Discussion:
Created cvs tracking bugs for this issue:
Affects: fedora-all [bug 1480801]
---
Reproducer:
$ CVS_RSH=/usr/bin/ssh strace -fq -e execve cvs -d '-oProxyCommand=id;localhost:/bar' co yada
execve("/usr/bin/cvs", ["cvs", "-d", "-oProxyCommand=id;localhost:/bar", "co", "yada"], 0x7ffc55abc638 /* 38 vars */) = 0
[pid 22658] execve("/usr/bin/ssh", ["/usr/bin/ssh", "-oProxyCommand=id;localhost", "cvs server"], 0x9ce03e55c0 /* 40 vars */) = 0
Pseudo-terminal will not be allocated because stdin is not a terminal.
[pid 22659] execve("/bin/bash", ["/bin/bash",
http://lists.nongnu.org/archive/html/bug-cvs/2017-08/msg00000.htmlhttp://www.debian.org/security/2017/dsa-3940http://www.openwall.com/lists/oss-security/2017/08/11/1http://www.openwall.com/lists/oss-security/2017/08/11/4http://www.securityfocus.com/bid/100279http://www.ubuntu.com/usn/USN-3399-1https://bugzilla.redhat.com/show_bug.cgi?id=1480800https://security.gentoo.org/glsa/201709-17http://lists.nongnu.org/archive/html/bug-cvs/2017-08/msg00000.htmlhttp://www.debian.org/security/2017/dsa-3940http://www.openwall.com/lists/oss-security/2017/08/11/1http://www.openwall.com/lists/oss-security/2017/08/11/4http://www.securityfocus.com/bid/100279http://www.ubuntu.com/usn/USN-3399-1https://bugzilla.redhat.com/show_bug.cgi?id=1480800https://security.gentoo.org/glsa/201709-17
2017-08-24
Published