CVE-2017-9800

CWE-20Improper Input ValidationCWE-77Command Injection20 documents13 sources
Severity
9.8CRITICAL
EPSS
60.3%
top 1.72%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache SubversionApache Software Foundation Apache Subversion
Timeline
PublishedAug 11
Latest updateMay 13

Description

A maliciously constructed svn+ssh:// URL would cause Subversion clients before 1.8.19, 1.9.x before 1.9.7, and 1.10.0.x through 1.10.0-alpha3 to run an arbitrary shell command. Such a URL could be generated by a malicious server, by a malicious user committing to a honest server (to attack another user of that server's repositories), or by a proxy server. The vulnerability affects all clients, including those that use file://, http://, and plain (untunneled) svn://.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

Debiansubversion< 1.9.7-1+3
Ubuntusubversion< 1.8.8-1ubuntu3.3+1
NVDapache/subversion1.8.18+8
CVEListV5apache_software_foundation/apache_subversion1.0.0 to 1.8.18, 1.9.0 to 1.9.6+1

🔴Vulnerability Details

5
GHSA
GHSA-34wf-vr8w-7xh4: A maliciously constructed svn+ssh:// URL would cause Subversion clients before 12022-05-13
GHSA
Dulwich RCE Vulnerability2022-05-13
CVEList
CVE-2017-9800: A maliciously constructed svn+ssh:// URL would cause Subversion clients before 12017-08-11
OSV
CVE-2017-9800: A maliciously constructed svn+ssh:// URL would cause Subversion clients before 12017-08-11
OSV
subversion vulnerabilities2017-08-11

📋Vendor Advisories

9
Oracle
Oracle Oracle Fusion Middleware Risk Matrix: Install, config, upgrade (Apache HTTP Server) — CVE-2017-98002020-10-15
Red Hat
python-dulwich: Setting SSH arguments from untrusted URLs allows code execution2017-10-29
Ubuntu
Subversion vulnerabilities2017-10-24
Apple
CVE-2017-9800: Xcode 92017-09-19
Red Hat
bzr: does not strip bzr+ssh SSH options2017-08-26

💬Community

5
Bugzilla
CVE-2017-16228 python-dulwich: Setting SSH arguments from untrusted URLs allows code execution2017-11-03
HackerOne
RCE via ssh:// URIs in multiple VCS2017-09-21
Bugzilla
CVE-2017-12976 git-annex: RCE via ssh URL with an initial dash character in the hostname2017-08-24
Bugzilla
CVE-2017-9800 subversion: Arbitrary code execution on clients through malicious svn+ssh URLs [fedora-all]2017-08-10
Bugzilla
CVE-2017-9800 subversion: Command injection through clients via malicious svn+ssh URLs2017-08-09
CVE-2017-9800 (CRITICAL CVSS 9.8) | A maliciously constructed svn+ssh:/ | cvebase.io