Remote code execution in Mercurial

Published: 2017-06-28

Risk	High
Patch available	YES
Number of vulnerabilities	1
CVE-ID	CVE-2017-9462
CWE-ID	CWE-20
Exploitation vector	Network
Public exploit	Public exploit code for vulnerability #1 is available.
Vulnerable software	Mercurial Web applications / CRM systems
Vendor	Mercurial

Security Bulletin

This security bulletin contains one high risk vulnerability.

1) Remote code execution

EUVDB-ID: #VU7220

Risk: High

CVSSv4.0: 8.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber]

CVE-ID: CVE-2017-9462

CWE-ID: CWE-20 - Improper input validation

Exploit availability: Yes

Description

The vulnerability allows a remote authenticated attacker to execute arbitrary code on the target system.

The weakness exists due to improper input validation in "hg serve --stdio". A remote attacker can use --debugger as a repository name and consequently execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability may result in system compromise.

Mitigation

Update to version 4.1.3 or later.

Vulnerable software versions

Mercurial: 3.4.0 - 4.1.2

CPE2.3

External links

https://www.mercurial-scm.org/repo/hg/rev/77eaf9539499

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.