{"containers": {"cna": {"affected": [{"product": "Apache Subversion", "vendor": "Apache Software Foundation", "versions": [{"status": "affected", "version": "1.0.0 to 1.8.18"}, {"status": "affected", "version": "1.9.0 to 1.9.6"}]}], "datePublic": "2017-08-10T00:00:00", "descriptions": [{"lang": "en", "value": "A maliciously constructed svn+ssh:// URL would cause Subversion clients before 1.8.19, 1.9.x before 1.9.7, and 1.10.0.x through 1.10.0-alpha3 to run an arbitrary shell command. Such a URL could be generated by a malicious server, by a malicious user committing to a honest server (to attack another user of that server's repositories), or by a proxy server. The vulnerability affects all clients, including those that use file://, http://, and plain (untunneled) svn://."}], "problemTypes": [{"descriptions": [{"description": "Remote Code Execution", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-10-20T21:14:52", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"name": "[announce] 20170810 [SECURITY][ANNOUNCE] Apache Subversion 1.9.7 released", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/cb607dc2f13bab9769147759ddccb14a4f9d8e5cdcad5e99c0d03b63%40%3Cannounce.apache.org%3E"}, {"name": "100259", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/100259"}, {"name": "20170810 [SECURITY][ANNOUNCE] Apache Subversion 1.9.7 released", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/540999/100/0/threaded"}, {"name": "RHSA-2017:2480", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2017:2480"}, {"name": "1039127", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1039127"}, {"name": "GLSA-201709-09", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/201709-09"}, {"name": "DSA-3932", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2017/dsa-3932"}, {"name": "[subversion-commits] 20190830 svn commit: r1866117 - in /subversion/site/publish/docs/community-guide: how-to-roll-releases-in-private.txt issues.part.html", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/d8cf53affd700dfce90bad4968fb8b1dfb69cf7c443052c70398ff76%40%3Ccommits.subversion.apache.org%3E"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://confluence.atlassian.com/sourcetreekb/sourcetree-security-advisory-2017-08-11-933099891.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://support.apple.com/HT208103"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://subversion.apache.org/security/CVE-2017-9800-advisory.txt"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/143722/Apache-Subversion-Arbitrary-Code-Execution.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "DATE_PUBLIC": "2017-08-10T00:00:00", "ID": "CVE-2017-9800", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache Subversion", "version": {"version_data": [{"version_value": "1.0.0 to 1.8.18"}, {"version_value": "1.9.0 to 1.9.6"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A maliciously constructed svn+ssh:// URL would cause Subversion clients before 1.8.19, 1.9.x before 1.9.7, and 1.10.0.x through 1.10.0-alpha3 to run an arbitrary shell command. Such a URL could be generated by a malicious server, by a malicious user committing to a honest server (to attack another user of that server's repositories), or by a proxy server. The vulnerability affects all clients, including those that use file://, http://, and plain (untunneled) svn://."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Remote Code Execution"}]}]}, "references": {"reference_data": [{"name": "[announce] 20170810 [SECURITY][ANNOUNCE] Apache Subversion 1.9.7 released", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/cb607dc2f13bab9769147759ddccb14a4f9d8e5cdcad5e99c0d03b63@%3Cannounce.apache.org%3E"}, {"name": "100259", "refsource": "BID", "url": "http://www.securityfocus.com/bid/100259"}, {"name": "20170810 [SECURITY][ANNOUNCE] Apache Subversion 1.9.7 released", "refsource": "BUGTRAQ", "url": "http://www.securityfocus.com/archive/1/540999/100/0/threaded"}, {"name": "RHSA-2017:2480", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2017:2480"}, {"name": "1039127", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1039127"}, {"name": "GLSA-201709-09", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201709-09"}, {"name": "DSA-3932", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2017/dsa-3932"}, {"name": "[subversion-commits] 20190830 svn commit: r1866117 - in /subversion/site/publish/docs/community-guide: how-to-roll-releases-in-private.txt issues.part.html", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/d8cf53affd700dfce90bad4968fb8b1dfb69cf7c443052c70398ff76@%3Ccommits.subversion.apache.org%3E"}, {"name": "https://www.oracle.com/security-alerts/cpuoct2020.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"}, {"name": "https://confluence.atlassian.com/sourcetreekb/sourcetree-security-advisory-2017-08-11-933099891.html", "refsource": "CONFIRM", "url": "https://confluence.atlassian.com/sourcetreekb/sourcetree-security-advisory-2017-08-11-933099891.html"}, {"name": "https://support.apple.com/HT208103", "refsource": "CONFIRM", "url": "https://support.apple.com/HT208103"}, {"name": "https://subversion.apache.org/security/CVE-2017-9800-advisory.txt", "refsource": "CONFIRM", "url": "https://subversion.apache.org/security/CVE-2017-9800-advisory.txt"}, {"name": "http://packetstormsecurity.com/files/143722/Apache-Subversion-Arbitrary-Code-Execution.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/143722/Apache-Subversion-Arbitrary-Code-Execution.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T17:18:01.929Z"}, "title": "CVE Program Container", "references": [{"name": "[announce] 20170810 [SECURITY][ANNOUNCE] Apache Subversion 1.9.7 released", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/cb607dc2f13bab9769147759ddccb14a4f9d8e5cdcad5e99c0d03b63%40%3Cannounce.apache.org%3E"}, {"name": "100259", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/100259"}, {"name": "20170810 [SECURITY][ANNOUNCE] Apache Subversion 1.9.7 released", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://www.securityfocus.com/archive/1/540999/100/0/threaded"}, {"name": "RHSA-2017:2480", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2017:2480"}, {"name": "1039127", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id/1039127"}, {"name": "GLSA-201709-09", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/201709-09"}, {"name": "DSA-3932", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2017/dsa-3932"}, {"name": "[subversion-commits] 20190830 svn commit: r1866117 - in /subversion/site/publish/docs/community-guide: how-to-roll-releases-in-private.txt issues.part.html", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/d8cf53affd700dfce90bad4968fb8b1dfb69cf7c443052c70398ff76%40%3Ccommits.subversion.apache.org%3E"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://confluence.atlassian.com/sourcetreekb/sourcetree-security-advisory-2017-08-11-933099891.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://support.apple.com/HT208103"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://subversion.apache.org/security/CVE-2017-9800-advisory.txt"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://packetstormsecurity.com/files/143722/Apache-Subversion-Arbitrary-Code-Execution.html"}]}]}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2017-9800", "datePublished": "2017-08-11T21:00:00Z", "dateReserved": "2017-06-21T00:00:00", "dateUpdated": "2024-09-16T23:36:59.228Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:subversion:*:*:*:*:*:*:*:*", "matchCriteriaId": "C10F0402-14B0-4870-91A0-53BA3200B2B1", "versionEndIncluding": "1.8.18", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:subversion:1.9.0:*:*:*:*:*:*:*", "matchCriteriaId": "892FF423-1848-4E69-8C4C-E1972B656196", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:subversion:1.9.1:*:*:*:*:*:*:*", "matchCriteriaId": "9ACF37C7-8752-4A8F-B7E3-2E813C4A0DF0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:subversion:1.9.2:*:*:*:*:*:*:*", "matchCriteriaId": "74200C33-9505-48EB-964D-6CA28C7F6DB8", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:subversion:1.9.3:*:*:*:*:*:*:*", "matchCriteriaId": "09FBAFE7-986D-4B24-8122-FDCC380331C9", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:subversion:1.9.4:*:*:*:*:*:*:*", "matchCriteriaId": "32B6148E-3E5F-4DCB-BD8E-45B3D56CB18C", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:subversion:1.9.5:*:*:*:*:*:*:*", "matchCriteriaId": "DA37FBDF-C9BD-4D8F-B24A-CC35DF7EE7FA", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:subversion:1.9.6:*:*:*:*:*:*:*", "matchCriteriaId": "E228BEF8-CACB-46DF-816B-ECCB406DFB60", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:subversion:1.10.0:*:*:*:*:*:*:*", "matchCriteriaId": "BDEDF94B-8B94-43AD-8DA7-580EF40CAD26", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:subversion:1.10.0:alpha1:*:*:*:*:*:*", "matchCriteriaId": "8053093C-E4F4-411B-A4B7-1728E40E7D89", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:subversion:1.10.0:alpha2:*:*:*:*:*:*", "matchCriteriaId": "6997704A-5C87-47B7-BF17-5C0F43642065", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:subversion:1.10.0:alpha3:*:*:*:*:*:*", "matchCriteriaId": "B1E5C581-41D7-4694-A050-5455D6C8BB74", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A maliciously constructed svn+ssh:// URL would cause Subversion clients before 1.8.19, 1.9.x before 1.9.7, and 1.10.0.x through 1.10.0-alpha3 to run an arbitrary shell command. Such a URL could be generated by a malicious server, by a malicious user committing to a honest server (to attack another user of that server's repositories), or by a proxy server. The vulnerability affects all clients, including those that use file://, http://, and plain (untunneled) svn://."}, {"lang": "es", "value": "Una URL creada con fines maliciosos svn+ssh:// podr\u00eda provocar que clientes de Subversion en versiones anteriores a la 1.8.19, en versiones 1.9.x anteriores a la 1.9.7, y en versiones 1.10.0.x a 1.10.0-alpha3 ejecuten un comando shell arbitrario. Tal URL podr\u00eda ser generada por un servidor malicioso, por un usuario malicioso que se confirma en un servidor honesto (para atacar otro usuario de los repositorios de ese servidor), o por un servidor proxy. La vulnerabilidad afecta a todos los clientes, incluyendo aquellos que usan file://, http://, y svn:// plano (sin t\u00fanel)."}], "id": "CVE-2017-9800", "lastModified": "2023-11-07T02:50:53.333", "metrics": {"cvssMetricV2": [{"acInsufInfo": true, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-08-11T21:29:00.587", "references": [{"source": "security@apache.org", "url": "http://packetstormsecurity.com/files/143722/Apache-Subversion-Arbitrary-Code-Execution.html"}, {"source": "security@apache.org", "url": "http://www.debian.org/security/2017/dsa-3932"}, {"source": "security@apache.org", "url": "http://www.securityfocus.com/archive/1/540999/100/0/threaded"}, {"source": "security@apache.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/100259"}, {"source": "security@apache.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securitytracker.com/id/1039127"}, {"source": "security@apache.org", "url": "https://access.redhat.com/errata/RHSA-2017:2480"}, {"source": "security@apache.org", "url": "https://confluence.atlassian.com/sourcetreekb/sourcetree-security-advisory-2017-08-11-933099891.html"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/cb607dc2f13bab9769147759ddccb14a4f9d8e5cdcad5e99c0d03b63%40%3Cannounce.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/d8cf53affd700dfce90bad4968fb8b1dfb69cf7c443052c70398ff76%40%3Ccommits.subversion.apache.org%3E"}, {"source": "security@apache.org", "url": "https://security.gentoo.org/glsa/201709-09"}, {"source": "security@apache.org", "tags": ["Vendor Advisory"], "url": "https://subversion.apache.org/security/CVE-2017-9800-advisory.txt"}, {"source": "security@apache.org", "url": "https://support.apple.com/HT208103"}, {"source": "security@apache.org", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank the Subversion Team for reporting this issue.", "affected_release": [{"advisory": "RHSA-2017:2480", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "subversion-0:1.7.14-11.el7_4", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2017-08-15T00:00:00Z"}], "bugzilla": {"description": "subversion: Command injection through clients via malicious svn+ssh URLs", "id": "1479686", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1479686"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.3", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "status": "verified"}, "cwe": "CWE-20", "details": ["A maliciously constructed svn+ssh:// URL would cause Subversion clients before 1.8.19, 1.9.x before 1.9.7, and 1.10.0.x through 1.10.0-alpha3 to run an arbitrary shell command. Such a URL could be generated by a malicious server, by a malicious user committing to a honest server (to attack another user of that server's repositories), or by a proxy server. The vulnerability affects all clients, including those that use file://, http://, and plain (untunneled) svn://.", "A shell command injection flaw related to the handling of \"svn+ssh\" URLs has been discovered in Subversion. An attacker could use this flaw to execute shell commands with the privileges of the user running the Subversion client, for example when performing a \"checkout\" or \"update\" action on a malicious repository, or a legitimate repository containing a malicious commit."], "mitigation": {"lang": "en:us", "value": "There are various methods available to mitigate this issue. For further information, please refer to the Subversion advisory available at:\nhttps://subversion.apache.org/security/CVE-2017-9800-advisory.txt"}, "name": "CVE-2017-9800", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Will not fix", "package_name": "subversion", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Will not fix", "package_name": "subversion", "product_name": "Red Hat Enterprise Linux 6"}], "public_date": "2017-08-10T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2017-9800\nhttps://nvd.nist.gov/vuln/detail/CVE-2017-9800\nhttps://subversion.apache.org/security/CVE-2017-9800-advisory.txt"], "threat_severity": "Important", "upstream_fix": "subversion 1.8.18, subversion 1.9.7"}