#VU31408 OS Command Injection in Mercurial - CVE-2017-1000116


| Updated: 2020-07-18

Vulnerability identifier: #VU31408

Vulnerability risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2017-1000116

CWE-ID: CWE-78

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Mercurial
Client/Desktop applications / Other client software

Vendor: Mercurial

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

Mercurial prior to 4.3 did not adequately sanitize hostnames passed to ssh, leading to possible shell-injection attacks.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Mercurial: 4.0 - 4.2.3

External links
https://www.debian.org/security/2017/dsa-3963
https://www.securityfocus.com/bid/100290
https://access.redhat.com/errata/RHSA-2017:2489
https://security.gentoo.org/glsa/201709-18
https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.3_.2F_4.3.1_.282017-08-10.29

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in Mercurial
Gentoo update for Mercurial
Amazon Linux AMI update for mercurial
OS Command Injection in mercurial (Alpine package)
Red Hat Enterprise Linux 7 update for mercurial
Fedora 26 update for mercurial
Fedora 25 update for mercurial
Slackware Linux update for mercurial
Arch Linux update for mercurial