CVE-2017-1000116
Published: 05 October 2017
Mercurial prior to 4.3 did not adequately sanitize hostnames passed to ssh, leading to possible shell-injection attacks.
From the Ubuntu security team
It was discovered that Mercurial incorrectly handled hostnames passed to ssh. An attacker could possibly use this issue to execute arbitrary code.
Priority
Medium
CVSS 3 base score: 9.8
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000116
- https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.3_.282017-08-10.29
- https://www.mercurial-scm.org/repo/hg/rev/53224b1ffbc2
- https://www.mercurial-scm.org/repo/hg/rev/e10745311406
- https://www.mercurial-scm.org/repo/hg/rev/f93975a5ebe8
- https://www.mercurial-scm.org/repo/hg/rev/f9134e96ed0f
- https://www.mercurial-scm.org/repo/hg/rev/92b583e3e522
- https://www.mercurial-scm.org/repo/hg/rev/08cfc4baf3ba
- https://www.mercurial-scm.org/repo/hg/rev/55681baf4cf9
- https://www.mercurial-scm.org/repo/hg/rev/173ecccb9ee7
- https://www.mercurial-scm.org/repo/hg/rev/ca398a50ca00
- https://www.mercurial-scm.org/repo/hg/rev/00a75672a9cb
- https://www.mercurial-scm.org/repo/hg/rev/943c91326b23
- NVD
- Launchpad
- Debian