CVE-2017-9462

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and consequently execute arbitrary code, by using --debugger as a repository name.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 97%
Affected Products (NVD)
VendorProductVersion
mercurialmercurial
𝑥
< 4.1.3
debiandebian_linux
8.0
debiandebian_linux
9.0
redhatenterprise_linux_desktop
6.0
redhatenterprise_linux_desktop
7.0
redhatenterprise_linux_server
6.0
redhatenterprise_linux_server
7.0
redhatenterprise_linux_server_aus
7.3
redhatenterprise_linux_server_aus
7.4
redhatenterprise_linux_server_aus
7.6
redhatenterprise_linux_server_eus
7.3
redhatenterprise_linux_server_eus
7.4
redhatenterprise_linux_server_eus
7.5
redhatenterprise_linux_server_eus
7.6
redhatenterprise_linux_server_tus
7.3
redhatenterprise_linux_server_tus
7.6
redhatenterprise_linux_workstation
6.0
redhatenterprise_linux_workstation
7.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
mercurial
bookworm
6.3.2-1
fixed
bullseye
5.6.1-4
fixed
sid
6.8.2-1
fixed
trixie
6.8.2-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
mercurial
artful
Fixed 4.3.1-2
released
bionic
not-affected
cosmic
not-affected
trusty
Fixed 2.8.2-1ubuntu1.4
released
xenial
Fixed 3.7.3-1ubuntu1.1
released
yakkety
ignored
zesty
ignored
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
emacs-mercurial
RHEL 6
0:1.4-5.el6_9
fixed
RHEL 7
0:2.6.2-7.el7_3
fixed
emacs-mercurial-el
RHEL 6
0:1.4-5.el6_9
fixed
RHEL 7
0:2.6.2-7.el7_3
fixed
mercurial
RHEL 6
0:1.4-5.el6_9
fixed
RHEL 7
0:2.6.2-7.el7_3
fixed
mercurial-hgk
RHEL 6
0:1.4-5.el6_9
fixed
RHEL 7
0:2.6.2-7.el7_3
fixed
Common Weakness Enumeration
References
http://www.debian.org/security/2017/dsa-3963
http://www.securityfocus.com/bid/99123
https://access.redhat.com/errata/RHSA-2017:1576
https://bugs.debian.org/861243
https://lists.debian.org/debian-lts-announce/2018/07/msg00005.html
https://security.gentoo.org/glsa/201709-18
https://www.mercurial-scm.org/repo/hg/rev/77eaf9539499
https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.1.3_.282017-4-18.29
http://www.debian.org/security/2017/dsa-3963
http://www.securityfocus.com/bid/99123
https://access.redhat.com/errata/RHSA-2017:1576
https://bugs.debian.org/861243
https://lists.debian.org/debian-lts-announce/2018/07/msg00005.html
https://security.gentoo.org/glsa/201709-18
https://www.mercurial-scm.org/repo/hg/rev/77eaf9539499
https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.1.3_.282017-4-18.29