CVE-2017-9800
subversion: Command injection through clients via malicious svn+ssh URLs
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
A maliciously constructed svn+ssh:// URL would cause Subversion clients before 1.8.19, 1.9.x before 1.9.7, and 1.10.0.x through 1.10.0-alpha3 to run an arbitrary shell command. Such a URL could be generated by a malicious server, by a malicious user committing to a honest server (to attack another user of that server's repositories), or by a proxy server. The vulnerability affects all clients, including those that use file://, http://, and plain (untunneled) svn://.
Una URL creada con fines maliciosos svn+ssh:// podría provocar que clientes de Subversion en versiones anteriores a la 1.8.19, en versiones 1.9.x anteriores a la 1.9.7, y en versiones 1.10.0.x a 1.10.0-alpha3 ejecuten un comando shell arbitrario. Tal URL podría ser generada por un servidor malicioso, por un usuario malicioso que se confirma en un servidor honesto (para atacar otro usuario de los repositorios de ese servidor), o por un servidor proxy. La vulnerabilidad afecta a todos los clientes, incluyendo aquellos que usan file://, http://, y svn:// plano (sin túnel).
A shell command injection flaw related to the handling of "svn+ssh" URLs has been discovered in Subversion. An attacker could use this flaw to execute shell commands with the privileges of the user running the Subversion client, for example when performing a "checkout" or "update" action on a malicious repository, or a legitimate repository containing a malicious commit.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2017-06-21 CVE Reserved
- 2017-08-10 CVE Published
- 2024-02-05 EPSS Updated
- 2024-09-16 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-20: Improper Input Validation
CAPEC
References (15)
| URL | Tag | Source |
|---|---|---|
| http://packetstormsecurity.com/files/143722/Apache-Subversion-Arbitrary-Code-Execution.html | X_refsource_misc |
|
| http://www.securityfocus.com/archive/1/540999/100/0/threaded | Mailing List | |
| http://www.securityfocus.com/bid/100259 | Third Party Advisory | |
| http://www.securitytracker.com/id/1039127 | Third Party Advisory | |
| https://confluence.atlassian.com/sourcetreekb/sourcetree-security-advisory-2017-08-11-933099891.html | X_refsource_confirm | |
| https://lists.apache.org/thread.html/cb607dc2f13bab9769147759ddccb14a4f9d8e5cdcad5e99c0d03b63%40%3Cannounce.apache.org%3E | Mailing List | |
| https://lists.apache.org/thread.html/d8cf53affd700dfce90bad4968fb8b1dfb69cf7c443052c70398ff76%40%3Ccommits.subversion.apache.org%3E | Mailing List | |
| https://support.apple.com/HT208103 | X_refsource_confirm |
|
| https://www.oracle.com/security-alerts/cpuoct2020.html | X_refsource_misc |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://www.debian.org/security/2017/dsa-3932 | 2023-11-07 | |
| https://access.redhat.com/errata/RHSA-2017:2480 | 2023-11-07 | |
| https://security.gentoo.org/glsa/201709-09 | 2023-11-07 | |
| https://subversion.apache.org/security/CVE-2017-9800-advisory.txt | 2023-11-07 | |
| https://access.redhat.com/security/cve/CVE-2017-9800 | 2017-08-15 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1479686 | 2017-08-15 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Apache Search vendor "Apache" | Subversion Search vendor "Apache" for product "Subversion" | <= 1.8.18 Search vendor "Apache" for product "Subversion" and version " <= 1.8.18" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Subversion Search vendor "Apache" for product "Subversion" | 1.9.0 Search vendor "Apache" for product "Subversion" and version "1.9.0" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Subversion Search vendor "Apache" for product "Subversion" | 1.9.1 Search vendor "Apache" for product "Subversion" and version "1.9.1" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Subversion Search vendor "Apache" for product "Subversion" | 1.9.2 Search vendor "Apache" for product "Subversion" and version "1.9.2" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Subversion Search vendor "Apache" for product "Subversion" | 1.9.3 Search vendor "Apache" for product "Subversion" and version "1.9.3" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Subversion Search vendor "Apache" for product "Subversion" | 1.9.4 Search vendor "Apache" for product "Subversion" and version "1.9.4" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Subversion Search vendor "Apache" for product "Subversion" | 1.9.5 Search vendor "Apache" for product "Subversion" and version "1.9.5" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Subversion Search vendor "Apache" for product "Subversion" | 1.9.6 Search vendor "Apache" for product "Subversion" and version "1.9.6" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Subversion Search vendor "Apache" for product "Subversion" | 1.10.0 Search vendor "Apache" for product "Subversion" and version "1.10.0" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Subversion Search vendor "Apache" for product "Subversion" | 1.10.0 Search vendor "Apache" for product "Subversion" and version "1.10.0" | alpha1 |
Affected
| ||||||
| Apache Search vendor "Apache" | Subversion Search vendor "Apache" for product "Subversion" | 1.10.0 Search vendor "Apache" for product "Subversion" and version "1.10.0" | alpha2 |
Affected
| ||||||
| Apache Search vendor "Apache" | Subversion Search vendor "Apache" for product "Subversion" | 1.10.0 Search vendor "Apache" for product "Subversion" and version "1.10.0" | alpha3 |
Affected
| ||||||