CVE-2017-17458OS Command Injection in Mercurial

CWE-78OS Command Injection9 documents7 sources
Severity
9.8CRITICALNVD
EPSS
17.2%
top 4.95%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
MercurialDebian MercurialDebian Linux
Timeline
PublishedDec 7
Latest updateMay 13

Description

In Mercurial before 4.4.1, it is possible that a specially malformed repository can cause Git subrepositories to run arbitrary code in the form of a .git/hooks/post-update script checked into the repository. Typical use of Mercurial prevents construction of such repositories, but they can be created programmatically.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

debiandebian/mercurial< mercurial 4.4.1-1 (bookworm)
NVDmercurial/mercurial< 4.4.1
PyPImercurial/mercurial< 4.4.1
Debianmercurial/mercurial< 4.4.1-1+3

Also affects: Debian Linux 7.0, 8.0

🔴Vulnerability Details

4
GHSA
Mercurial vulnerable to arbitrary code injection2022-05-13
OSV
Mercurial vulnerable to arbitrary code injection2022-05-13
OSV
CVE-2017-17458: In Mercurial before 42017-12-07
CVEList
CVE-2017-17458: In Mercurial before 42017-12-07

📋Vendor Advisories

2
Red Hat
mercurial: arbitrary command execution in mercurial repo with a git submodule2017-11-03
Debian
CVE-2017-17458: mercurial - In Mercurial before 4.4.1, it is possible that a specially malformed repository ...2017

💬Community

2
Bugzilla
CVE-2017-17458 mercurial: arbitrary command execution in mercurial repo with a git submodule [fedora-all]2017-11-06
Bugzilla
CVE-2017-17458 mercurial: arbitrary command execution in mercurial repo with a git submodule2017-11-06