Redmine before 3.2.9, 3.3.x before 3.3.6, and 3.4.x before 3.4.4 does not block the --config and --debugger flags to the Mercurial hg program, which allows remote attackers to execute arbitrary commands (through the Mercurial adapter) via vectors involving a branch whose name begins with a --config= or --debugger= substring, a related issue to CVE-2017-17536.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: mitre
Published: 2018-01-10T09:00:00
Updated: 2024-08-05T21:06:50.143Z
Reserved: 2018-01-10T00:00:00
Link: CVE-2017-18026
Vulnrichment
No data.
NVD
Status : Modified
Published: 2018-01-10T09:29:00.190
Modified: 2024-11-21T03:19:11.917
Link: CVE-2017-18026
Redhat
No data.