Fluid Attacks Database

Description

Bazaar allows remote attackers to execute arbitrary commands via a bzr+ssh URL with initial dash character in hostname Bazaar through 2.7.0, when Subprocess SSH is used, allows remote attackers to execute arbitrary commands via a bzr+ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-16228, CVE-2017-1000116, and CVE-2017-1000117.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	breezy	>=0 <3.0.0~bzr6772-1	3.0.0~bzr6772-1
debian 11	bzr	>=0 <2.7.0+bzr6622-7	2.7.0+bzr6622-7
debian 12	bzr	>=0 <2.7.0+bzr6622-7	2.7.0+bzr6622-7
debian 13	breezy	>=0 <3.0.0~bzr6772-1	3.0.0~bzr6772-1
debian 12	breezy	>=0 <3.0.0~bzr6772-1	3.0.0~bzr6772-1
debian 14	breezy	>=0 <3.0.0~bzr6772-1	3.0.0~bzr6772-1
debian 13	bzr	>=0 <2.7.0+bzr6622-7	2.7.0+bzr6622-7
rpm rhel6	bzr	-	-
rpm rhel7	bzr	-	-
pypi	bzr	>=0 <=2.7.0	-

Aliases

1. CVE-2017-141762. NVD-2017-141763. OSV-DEBIAN-2017-141764. OSV-2017-141765. GCVE-2017-141766. SECURITY-TRACKER-CVE-2017-14176

References

1. https://bugs.debian.org/8744292. https://bugs.launchpad.net/bzr/+bug/17109793. https://bugzilla.redhat.com/show_bug.cgi?id=14866854. https://bugzilla.suse.com/show_bug.cgi?id=10582145. https://github.com/pypa/advisory-database/tree/main/vulns/bzr/PYSEC-2017-149.yaml6. https://www.debian.org/security/2017/dsa-40527. http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-14176.html8. http://www.ubuntu.com/usn/usn-3411-1

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.