GitHub Advisory DatabaseGHSA-GHJX-3JG5-H6R2High severity vulnerability that affects mercurial
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
9 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
0.03 Low
EPSS
Percentile
90.8%
In Mercurial before 4.1.3, “hg serve --stdio” allows remote authenticated users to launch the Python debugger, and consequently execute arbitrary code, by using --debugger as a repository name.
References
www.debian.org/security/2017/dsa-3963
www.securityfocus.com/bid/99123
access.redhat.com/errata/RHSA-2017:1576
bugs.debian.org/861243
github.com/advisories/GHSA-ghjx-3jg5-h6r2
lists.debian.org/debian-lts-announce/2018/07/msg00005.html
nvd.nist.gov/vuln/detail/CVE-2017-9462
security.gentoo.org/glsa/201709-18
www.mercurial-scm.org/repo/hg/rev/77eaf9539499
www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.1.3_.282017-4-18.29
Related
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
9 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
0.03 Low
EPSS
Percentile
90.8%