CVE-2017-16228
published 2017-10-29CVE-2017-16228: Dulwich before 0.18.5, when an SSH subprocess is used, allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in…
PriorityP352critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
3.39%
87.3th percentile
Dulwich before 0.18.5, when an SSH subprocess is used, allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-1000116, and CVE-2017-1000117.
Affected
21 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | bazaar | <= 2.7.0 | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | breezy | < breezy 3.0.0~bzr6772-1 (bookworm) | breezy 3.0.0~bzr6772-1 (bookworm) |
| debian | bzr | < breezy 3.0.0~bzr6772-1 (bookworm) | breezy 3.0.0~bzr6772-1 (bookworm) |
| debian | bzr | 0 – 2.7.0 | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | dulwich | < dulwich 0.18.5-1 (bookworm) | dulwich 0.18.5-1 (bookworm) |
| debian | fossil | < fossil 1:2.4-1 (bookworm) | fossil 1:2.4-1 (bookworm) |
| dulwich_project | dulwich | <= 0.18.4 | — |
| dulwich_project | dulwich | >= 0 < 0.18.5-1 | 0.18.5-1 |
| dulwich_project | dulwich | >= 0 < 0.18.5-1 | 0.18.5-1 |
| dulwich_project | dulwich | >= 0 < 0.18.5-1 | 0.18.5-1 |
| dulwich_project | dulwich | >= 0 < 0.18.5-1 | 0.18.5-1 |
| dulwich_project | dulwich | >= 0 < 0.18.5 | 0.18.5 |
| fossil-scm | fossil | >= 0 < 1:2.4-1 | 1:2.4-1 |
| fossil-scm | fossil | >= 0 < 1:2.4-1 | 1:2.4-1 |
| fossil-scm | fossil | >= 0 < 1:2.4-1 | 1:2.4-1 |
| fossil_scm | fossil | < 2.4 | 2.4 |
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
ghsa9.8CRITICAL
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
python-dulwich: Setting SSH arguments from untrusted URLs allows code execution
vendor_redhat·2017-10-29·CVSS 9.8
CVE-2017-16228 [CRITICAL] CWE-20 python-dulwich: Setting SSH arguments from untrusted URLs allows code execution
python-dulwich: Setting SSH arguments from untrusted URLs allows code execution
Dulwich before 0.18.5, when an SSH subprocess is used, allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-1000116, and CVE-2017-1000117.
Package: python-dulwich (Red Hat OpenStack Platform 11 (Ocata)) - Will not fix
Red Hat
bzr: does not strip bzr+ssh SSH options
vendor_redhat·2017-08-26·CVSS 9.8
CVE-2017-14176 [CRITICAL] CWE-77 bzr: does not strip bzr+ssh SSH options
bzr: does not strip bzr+ssh SSH options
Bazaar through 2.7.0, when Subprocess SSH is used, allows remote attackers to execute arbitrary commands via a bzr+ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-16228, CVE-2017-1000116, and CVE-2017-1000117.
Statement: Red Hat Product Security has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Package: bzr (Red Hat Enterprise Linux 6) - Will not fix
Package: bzr (Red Hat Enterprise Linux 7) - Will not fix
Debian
CVE-2017-16228: dulwich - Dulwich before 0.18.5, when an SSH subprocess is used, allows remote attackers t...
vendor_debian·2017·CVSS 9.8
CVE-2017-16228 [CRITICAL] CVE-2017-16228: dulwich - Dulwich before 0.18.5, when an SSH subprocess is used, allows remote attackers t...
Dulwich before 0.18.5, when an SSH subprocess is used, allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-1000116, and CVE-2017-1000117.
Scope: local
bookworm: resolved (fixed in 0.18.5-1)
bullseye: resolved (fixed in 0.18.5-1)
forky: resolved (fixed in 0.18.5-1)
sid: resolved (fixed in 0.18.5-1)
trixie: resolved (fixed in 0.18.5-1)
Debian
CVE-2017-14176: breezy - Bazaar through 2.7.0, when Subprocess SSH is used, allows remote attackers to ex...
vendor_debian·2017·CVSS 9.8
CVE-2017-14176 [CRITICAL] CVE-2017-14176: breezy - Bazaar through 2.7.0, when Subprocess SSH is used, allows remote attackers to ex...
Bazaar through 2.7.0, when Subprocess SSH is used, allows remote attackers to execute arbitrary commands via a bzr+ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-16228, CVE-2017-1000116, and CVE-2017-1000117.
Scope: local
bookworm: resolved (fixed in 3.0.0~bzr6772-1)
bullseye: resolved (fixed in 3.0.0~bzr6772-1)
forky: resolved (fixed in 3.0.0~bzr6772-1)
sid: resolved (fixed in 3.0.0~bzr6772-1)
trixie: resolved (fixed in 3.0.0~bzr6772-1)
Debian
CVE-2017-17459: fossil - http_transport.c in Fossil before 2.4, when the SSH sync protocol is used, allow...
vendor_debian·2017·CVSS 9.8
CVE-2017-17459 [CRITICAL] CVE-2017-17459: fossil - http_transport.c in Fossil before 2.4, when the SSH sync protocol is used, allow...
http_transport.c in Fossil before 2.4, when the SSH sync protocol is used, allows user-assisted remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-14176, CVE-2017-16228, CVE-2017-1000116, and CVE-2017-1000117.
Scope: local
bookworm: resolved (fixed in 1:2.4-1)
bullseye: resolved (fixed in 1:2.4-1)
sid: resolved (fixed in 1:2.4-1)
trixie: resolved (fixed in 1:2.4-1)
GHSA
GHSA-jjxg-hpm7-g95f: Bazaar through 2
ghsa_unreviewed·2022-05-13·CVSS 9.8
CVE-2017-14176 [CRITICAL] GHSA-jjxg-hpm7-g95f: Bazaar through 2
Bazaar through 2.7.0, when Subprocess SSH is used, allows remote attackers to execute arbitrary commands via a bzr+ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-16228, CVE-2017-1000116, and CVE-2017-1000117.
GHSA
GHSA-ff3p-f5xw-q723: http_transport
ghsa_unreviewed·2022-05-13·CVSS 9.8
CVE-2017-17459 [CRITICAL] GHSA-ff3p-f5xw-q723: http_transport
http_transport.c in Fossil before 2.4, when the SSH sync protocol is used, allows user-assisted remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-14176, CVE-2017-16228, CVE-2017-1000116, and CVE-2017-1000117.
OSV
Dulwich RCE Vulnerability
osv·2022-05-13·CVSS 9.8
CVE-2017-16228 [CRITICAL] Dulwich RCE Vulnerability
Dulwich RCE Vulnerability
Dulwich before 0.18.5, when an SSH subprocess is used, allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-1000116, and CVE-2017-1000117.
GHSA
Dulwich RCE Vulnerability
ghsa·2022-05-13·CVSS 9.8
CVE-2017-16228 [CRITICAL] Dulwich RCE Vulnerability
Dulwich RCE Vulnerability
Dulwich before 0.18.5, when an SSH subprocess is used, allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-1000116, and CVE-2017-1000117.
GHSA
Bazaar allows remote attackers to execute arbitrary commands via a bzr+ssh URL with initial dash character in hostname
ghsa·2022-05-13·CVSS 9.8
CVE-2017-14176 [CRITICAL] Bazaar allows remote attackers to execute arbitrary commands via a bzr+ssh URL with initial dash character in hostname
Bazaar allows remote attackers to execute arbitrary commands via a bzr+ssh URL with initial dash character in hostname
Bazaar through 2.7.0, when Subprocess SSH is used, allows remote attackers to execute arbitrary commands via a bzr+ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-16228, CVE-2017-1000116, and CVE-2017-1000117.
OSV
CVE-2017-17459: http_transport
osv·2017-12-07·CVSS 9.8
CVE-2017-17459 [CRITICAL] CVE-2017-17459: http_transport
http_transport.c in Fossil before 2.4, when the SSH sync protocol is used, allows user-assisted remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-14176, CVE-2017-16228, CVE-2017-1000116, and CVE-2017-1000117.
OSV
CVE-2017-14176: Bazaar through 2
osv·2017-11-27·CVSS 9.8
CVE-2017-14176 [CRITICAL] CVE-2017-14176: Bazaar through 2
Bazaar through 2.7.0, when Subprocess SSH is used, allows remote attackers to execute arbitrary commands via a bzr+ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-16228, CVE-2017-1000116, and CVE-2017-1000117.
OSV
CVE-2017-16228: Dulwich before 0
osv·2017-10-29·CVSS 9.8
CVE-2017-16228 [CRITICAL] CVE-2017-16228: Dulwich before 0
Dulwich before 0.18.5, when an SSH subprocess is used, allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-1000116, and CVE-2017-1000117.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2017-16228 python-dulwich: Setting SSH arguments from untrusted URLs allows code execution [fedora-all]
bugzilla·2017-11-03·CVSS 9.8
CVE-2017-16228 [CRITICAL] CVE-2017-16228 python-dulwich: Setting SSH arguments from untrusted URLs allows code execution [fedora-all]
CVE-2017-16228 python-dulwich: Setting SSH arguments from untrusted URLs allows code execution [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affec
Bugzilla
CVE-2017-16228 python-dulwich: Setting SSH arguments from untrusted URLs allows code execution [epel-all]
bugzilla·2017-11-03·CVSS 9.8
CVE-2017-16228 [CRITICAL] CVE-2017-16228 python-dulwich: Setting SSH arguments from untrusted URLs allows code execution [epel-all]
CVE-2017-16228 python-dulwich: Setting SSH arguments from untrusted URLs allows code execution [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects m
Bugzilla
CVE-2017-16228 python-dulwich: Setting SSH arguments from untrusted URLs allows code execution
bugzilla·2017-11-03·CVSS 9.8
CVE-2017-16228 [CRITICAL] CVE-2017-16228 python-dulwich: Setting SSH arguments from untrusted URLs allows code execution
CVE-2017-16228 python-dulwich: Setting SSH arguments from untrusted URLs allows code execution
Dulwich before 0.18.5, when an SSH subprocess is used, allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-1000116, and CVE-2017-1000117.
Upstream patch:
https://www.dulwich.io/code/dulwich/commit/7116a0cbbda571f7dac863f4b1c00b6e16d6d8d6/
Discussion:
Created python-dulwich tracking bugs for this issue:
Affects: epel-all [bug 1509304]
Affects: fedora-all [bug 1509305]
---
OpenStack reno is the package that requires python-dulwich. However, it does not use the vulnerable function within python-dulwich. The functionality used by reno is for manipulating
https://tracker.debian.org/news/882440https://www.dulwich.io/code/dulwich/https://www.dulwich.io/code/dulwich/commit/7116a0cbbda571f7dac863f4b1c00b6e16d6d8d6/https://tracker.debian.org/news/882440https://www.dulwich.io/code/dulwich/https://www.dulwich.io/code/dulwich/commit/7116a0cbbda571f7dac863f4b1c00b6e16d6d8d6/
2017-10-29
Published