CVE-2017-9800:
A maliciously constructed svn+ssh:// URL would cause Subversion clients to
run an arbitrary shell command. Such a URL could be generated by a malicious
server, by a malicious user committing to a honest server (to attack another
user of that server's repositories), or by a proxy server.
CVSSv3 Base Score: 9.9 (Critical)
CVSSv3 Base Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C
A successful exploit will run an arbitrary shell command with the privileges
of the Subversion client.
CVE-2017-1000117
A malicious third-party can give a crafted "ssh://..." URL to an
unsuspecting victim, and an attempt to visit the URL can result in
any program that exists on the victim's machine being executed.
Such a URL could be placed in the .gitmodules file of a malicious
project, and an unsuspecting victim could be tricked into running
"git clone --recurse-submodules" to trigger the vulnerability.
CVE-2017-1000115:
Mercurial's symlink auditing was incomplete prior to 4.3, and could be abused to write to files outside the repository.
CVE-2017-1000116:
Mercurial was not sanitizing hostnames passed to ssh, allowing shell injection attacks by specifying a hostname starting with -oProxyCommand. This is also present in Git (CVE-2017-1000117) and Subversion (CVE-2017-9800), so please patch those tools as well if you have them installed. All three tools are doing their security release today.
https://public-inbox.org/git/xmqqh8xf482j.fsf@gitster.mtv.corp.google.c…
https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.3_.282017-08-10…
http://subversion.apache.org/security/CVE-2017-9800-advisory.txt
http://blog.recurity-labs.com/2017-08-10/scm-vulns
- 976 megtekintés