PT-2015-4225 · Mercurial+2 · Mercurial+2

Published

2015-03-20

Updated

2022-05-14

CVE-2014-9462

CVSS v4.0

9.3

Critical

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Mercurial versions prior to 3.2.4

Description The issue allows remote attackers to execute arbitrary commands via a crafted repository name in a clone command. This is related to the validaterepo function in sshpeer.

Recommendations For versions prior to 3.2.4, update to version 3.2.4 or later to resolve the issue. As a temporary workaround, consider restricting the use of the clone command with crafted repository names until a patch is applied.

Exploit

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

ALT-PU-2015-1586

CVE-2014-9462

DLA-237-1

DSA-3257-1

GHSA-3PMW-H7J4-RF54

MGASA-2015-0129

PYSEC-2015-14

SUSE-SU-2015:0817-1

SUSE-SU-2015:0836-1

SUSE-SU-2015_0817-1

SUSE-SU-2015_0836-1

Affected Products

Alt Linux

Mercurial

Suse

PT-2015-4225 · Mercurial+2 · Mercurial+2

CVE-2014-9462

Weakness Enumeration

Related Identifiers

Affected Products

References · 40