{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2017-12-07T00:00:00", "descriptions": [{"lang": "en", "value": "In Mercurial before 4.4.1, it is possible that a specially malformed repository can cause Git subrepositories to run arbitrary code in the form of a .git/hooks/post-update script checked into the repository. Typical use of Mercurial prevents construction of such repositories, but they can be created programmatically."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-07-31T12:06:05", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "[debian-lts-announce] 20171228 [SECURITY] [DLA 1224-1] mercurial security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2017/12/msg00027.html"}, {"tags": ["x_refsource_MISC"], "url": "https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.4.1_.282017-11-07.29"}, {"name": "[debian-lts-announce] 20180727 [SECURITY] [DLA 1414-2] mercurial regression update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00041.html"}, {"name": "[debian-lts-announce] 20180705 [SECURITY] [DLA 1414-1] mercurial security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00005.html"}, {"tags": ["x_refsource_MISC"], "url": "https://www.mercurial-scm.org/pipermail/mercurial-devel/2017-November/107333.html"}, {"name": "102926", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/102926"}, {"tags": ["x_refsource_MISC"], "url": "https://bz.mercurial-scm.org/show_bug.cgi?id=5730"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://confluence.atlassian.com/sourcetreekb/sourcetree-security-advisory-2018-01-24-942834324.html"}, {"name": "[debian-lts-announce] 20200731 [SECURITY] [DLA 2293-1] mercurial security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00032.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2017-17458", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Mercurial before 4.4.1, it is possible that a specially malformed repository can cause Git subrepositories to run arbitrary code in the form of a .git/hooks/post-update script checked into the repository. Typical use of Mercurial prevents construction of such repositories, but they can be created programmatically."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "[debian-lts-announce] 20171228 [SECURITY] [DLA 1224-1] mercurial security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2017/12/msg00027.html"}, {"name": "https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.4.1_.282017-11-07.29", "refsource": "MISC", "url": "https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.4.1_.282017-11-07.29"}, {"name": "[debian-lts-announce] 20180727 [SECURITY] [DLA 1414-2] mercurial regression update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00041.html"}, {"name": "[debian-lts-announce] 20180705 [SECURITY] [DLA 1414-1] mercurial security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00005.html"}, {"name": "https://www.mercurial-scm.org/pipermail/mercurial-devel/2017-November/107333.html", "refsource": "MISC", "url": "https://www.mercurial-scm.org/pipermail/mercurial-devel/2017-November/107333.html"}, {"name": "102926", "refsource": "BID", "url": "http://www.securityfocus.com/bid/102926"}, {"name": "https://bz.mercurial-scm.org/show_bug.cgi?id=5730", "refsource": "MISC", "url": "https://bz.mercurial-scm.org/show_bug.cgi?id=5730"}, {"name": "https://confluence.atlassian.com/sourcetreekb/sourcetree-security-advisory-2018-01-24-942834324.html", "refsource": "CONFIRM", "url": "https://confluence.atlassian.com/sourcetreekb/sourcetree-security-advisory-2018-01-24-942834324.html"}, {"name": "[debian-lts-announce] 20200731 [SECURITY] [DLA 2293-1] mercurial security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00032.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T20:51:31.432Z"}, "title": "CVE Program Container", "references": [{"name": "[debian-lts-announce] 20171228 [SECURITY] [DLA 1224-1] mercurial security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2017/12/msg00027.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.4.1_.282017-11-07.29"}, {"name": "[debian-lts-announce] 20180727 [SECURITY] [DLA 1414-2] mercurial regression update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00041.html"}, {"name": "[debian-lts-announce] 20180705 [SECURITY] [DLA 1414-1] mercurial security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00005.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.mercurial-scm.org/pipermail/mercurial-devel/2017-November/107333.html"}, {"name": "102926", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/102926"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bz.mercurial-scm.org/show_bug.cgi?id=5730"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://confluence.atlassian.com/sourcetreekb/sourcetree-security-advisory-2018-01-24-942834324.html"}, {"name": "[debian-lts-announce] 20200731 [SECURITY] [DLA 2293-1] mercurial security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00032.html"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2017-17458", "datePublished": "2017-12-07T18:00:00", "dateReserved": "2017-12-07T00:00:00", "dateUpdated": "2024-08-05T20:51:31.432Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mercurial:mercurial:*:*:*:*:*:*:*:*", "matchCriteriaId": "AE2530E4-4470-4A2F-8CE8-34B4FC22F33E", "versionEndExcluding": "4.4.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "16F59A04-14CF-49E2-9973-645477EA09DA", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Mercurial before 4.4.1, it is possible that a specially malformed repository can cause Git subrepositories to run arbitrary code in the form of a .git/hooks/post-update script checked into the repository. Typical use of Mercurial prevents construction of such repositories, but they can be created programmatically."}, {"lang": "es", "value": "En Mercurial, en versiones anteriores a la 4.4.1, es posible que un repositorio especialmente mal formado provoque que los subrepositorios Git ejecuten c\u00f3digo arbitrario en la forma de un script .git/hooks/post-update verificado en el repositorio. El uso habitual de Mercurial evita la construcci\u00f3n de tales repositorios, pero pueden crearse program\u00e1ticamente."}], "id": "CVE-2017-17458", "lastModified": "2020-07-31T13:15:10.710", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-12-07T18:29:00.203", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/102926"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bz.mercurial-scm.org/show_bug.cgi?id=5730"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://confluence.atlassian.com/sourcetreekb/sourcetree-security-advisory-2018-01-24-942834324.html"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2017/12/msg00027.html"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00005.html"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00041.html"}, {"source": "cve@mitre.org", "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00032.html"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://www.mercurial-scm.org/pipermail/mercurial-devel/2017-November/107333.html"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.4.1_.282017-11-07.29"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "mercurial: arbitrary command execution in mercurial repo with a git submodule", "id": "1509868", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1509868"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.3", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "status": "draft"}, "details": ["In Mercurial before 4.4.1, it is possible that a specially malformed repository can cause Git subrepositories to run arbitrary code in the form of a .git/hooks/post-update script checked into the repository. Typical use of Mercurial prevents construction of such repositories, but they can be created programmatically.", "It was found that mercurial was vulnerable to cross repositories modification. A specially crafted mercurial repository could trigger arbitrary commands on a client during commands such as clone or update."], "mitigation": {"lang": "en:us", "value": "Disable sub-repositories"}, "name": "CVE-2017-17458", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Will not fix", "package_name": "mercurial", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Will not fix", "package_name": "mercurial", "product_name": "Red Hat Enterprise Linux 7"}], "public_date": "2017-11-03T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2017-17458\nhttps://nvd.nist.gov/vuln/detail/CVE-2017-17458\nhttps://bz.mercurial-scm.org/show_bug.cgi?id=5730"], "statement": "This issue affects the versions of mercurial as shipped with Red Hat Enterprise Linux 7. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.", "threat_severity": "Moderate", "upstream_fix": "mercurial 4.4.1"}