CVE-2017-16228 — Improper Input Validation in Project Dulwich

CWE-20 — Improper Input Validation CWE-77 — Command Injection11 documents7 sources

Severity

9.8CRITICALNVD

EPSS

0.4%

top 37.76%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Dulwich Project Dulwich

Timeline

PublishedOct 29

Latest updateMay 13

Description

Dulwich before 0.18.5, when an SSH subprocess is used, allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-1000116, and CVE-2017-1000117.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶PyPIdulwich_project/dulwich< 0.18.5

▶Debiandulwich_project/dulwich< 0.18.5-1+3

▶NVDdulwich_project/dulwich0.18.4

Patches

Patch: www.dulwich.io ↗Patch: www.dulwich.io ↗

🔴Vulnerability Details

OSV

Dulwich RCE Vulnerability↗2022-05-13

▶

GHSA

Dulwich RCE Vulnerability↗2022-05-13

▶

OSV

CVE-2017-16228: Dulwich before 0↗2017-10-29

▶

CVEList

CVE-2017-16228: Dulwich before 0↗2017-10-29

▶

📋Vendor Advisories

Red Hat

python-dulwich: Setting SSH arguments from untrusted URLs allows code execution↗2017-10-29

▶

Red Hat

bzr: does not strip bzr+ssh SSH options↗2017-08-26

▶

Debian

CVE-2017-16228: dulwich - Dulwich before 0.18.5, when an SSH subprocess is used, allows remote attackers t...↗2017

▶

💬Community

Bugzilla

CVE-2017-16228 python-dulwich: Setting SSH arguments from untrusted URLs allows code execution [fedora-all]↗2017-11-03

▶

Bugzilla

CVE-2017-16228 python-dulwich: Setting SSH arguments from untrusted URLs allows code execution [epel-all]↗2017-11-03

▶

Bugzilla

CVE-2017-16228 python-dulwich: Setting SSH arguments from untrusted URLs allows code execution↗2017-11-03

▶