CVE-2017-9462

Sažetak

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and consequently execute arbitrary code, by using --debugger as a repository name.

Reference

http://www.debian.org/security/2017/dsa-3963
http://www.securityfocus.com/bid/99123
https://access.redhat.com/errata/RHSA-2017:1576
https://bugs.debian.org/861243
https://lists.debian.org/debian-lts-announce/2018/07/msg00005.html
https://security.gentoo.org/glsa/201709-18
https://www.mercurial-scm.org/repo/hg/rev/77eaf9539499
https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.1.3_.282017-4-18.29

CVSS

Base:	9.0
Impact:	10.0
Exploitability:	8.0

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	SINGLE

Impact

Povjerljivost	Cjelovitost	Dostupnost
COMPLETE	COMPLETE	COMPLETE

CVSS vektor

AV:N/AC:L/Au:S/C:C/I:C/A:C

Zadnje važnije ažuriranje

05-02-2020 - 18:32

Objavljeno

06-06-2017 - 21:29