CVE-2017-9462

Опубликовано: 06 июн. 2017

Источник: nvd

CVSS3: 8.8

CVSS2: 9

EPSS Средний

Описание

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and consequently execute arbitrary code, by using --debugger as a repository name.

Ссылки

http://www.debian.org/security/2017/dsa-3963
Third Party Advisory
http://www.securityfocus.com/bid/99123
Third Party Advisory
VDB Entry
https://access.redhat.com/errata/RHSA-2017:1576
Third Party Advisory
https://bugs.debian.org/861243
Issue Tracking
Mailing List
Patch
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2018/07/msg00005.html
Mailing List
Third Party Advisory
https://security.gentoo.org/glsa/201709-18
Third Party Advisory
https://www.mercurial-scm.org/repo/hg/rev/77eaf9539499
Mailing List
Vendor Advisory
https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.1.3_.282017-4-18.29
Release Notes
Vendor Advisory
http://www.debian.org/security/2017/dsa-3963
Third Party Advisory
http://www.securityfocus.com/bid/99123
Third Party Advisory
VDB Entry
https://access.redhat.com/errata/RHSA-2017:1576
Third Party Advisory
https://bugs.debian.org/861243
Issue Tracking
Mailing List
Patch
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2018/07/msg00005.html
Mailing List
Third Party Advisory
https://security.gentoo.org/glsa/201709-18
Third Party Advisory
https://www.mercurial-scm.org/repo/hg/rev/77eaf9539499
Mailing List
Vendor Advisory
https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.1.3_.282017-4-18.29
Release Notes
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:mercurial:mercurial:*:*:*:*:*:*:*:*

Версия до 4.1.3 (исключая)

Конфигурация 2

Одно из

cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Конфигурация 3

Одно из

cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server_aus:7.3:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server_eus:7.3:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server_eus:7.4:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server_eus:7.5:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server_tus:7.3:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*

EPSS

Процентиль: 98%

0.48699

Средний

8.8 High

CVSS3

9 Critical

CVSS2

Дефекты

CWE-732

Связанные уязвимости

CVE-2017-9462

CVSS3: 8.8

ubuntu

больше 8 лет назад

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and consequently execute arbitrary code, by using --debugger as a repository name.

CVE-2017-9462

CVSS3: 6.3

redhat

больше 8 лет назад

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and consequently execute arbitrary code, by using --debugger as a repository name.

CVE-2017-9462

CVSS3: 8.8

debian

больше 8 лет назад

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authentica ...

openSUSE-SU-2017:1572-1

suse-cvrf

больше 8 лет назад

Security update for mercurial

SUSE-SU-2017:1606-1

suse-cvrf

больше 8 лет назад

Security update for mercurial

EPSS

Процентиль: 98%

0.48699

Средний

8.8 High

CVSS3

9 Critical

CVSS2

Дефекты

CWE-732