9

CVE-2017-9462

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and consequently execute arbitrary code, by using --debugger as a repository name.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 21.51% 0.973
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 9 8 10
AV:N/AC:L/Au:S/C:C/I:C/A:C
CWE-732 Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

http://www.debian.org/security/2017/dsa-3963
Third Party Advisory
http://www.securityfocus.com/bid/99123
Third Party Advisory
VDB Entry
https://access.redhat.com/errata/RHSA-2017:1576
Third Party Advisory
https://bugs.debian.org/861243
Patch
Third Party Advisory
Mailing List
Issue Tracking
https://lists.debian.org/debian-lts-announce/2018/07/msg00005.html
Third Party Advisory
Mailing List
https://security.gentoo.org/glsa/201709-18
Third Party Advisory
https://www.mercurial-scm.org/repo/hg/rev/77eaf9539499
Vendor Advisory
Mailing List
https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.1.3_.282017-4-18.29
Vendor Advisory
Release Notes