CVE-2014-9462

Description

The _validaterepo function in sshpeer in Mercurial before 3.2.4 allows remote attackers to execute arbitrary commands via a crafted repository name in a clone command.

Related CPE's

o opensuse opensuse 13.1 *******

o opensuse opensuse 13.2 *******

a mercurial mercurial ********

References

http://chargen.matasano.com/chargen/2015/3/17/this-new-vulnerability-mercurial-command-injection-cve-2014-9462.html

Exploit

http://mercurial.selenic.com/wiki/WhatsNew

Vendor Advisory

openSUSE-SU-2015:0617

119816

http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.html

DSA-3257

GLSA-201612-19

CvssV3 impact

Could not find any metrics

CvssV2 impact

Version	2.0
VectorString	AV:N/AC:L/Au:N/C:P/I:P/A:P
AccessVector	NETWORK
AccessComplexity	LOW
Authentication	NONE
ConfidentialityImpact	PARTIAL
IntegrityImpact	PARTIAL
AvailabilityImpact	PARTIAL
BaseScore	7.5

Created by Yello

About Severity.io