Fluid Attacks Database

Description

Mercurial vulnerable to arbitrary command execution via a crafted repository name in a clone command The _validaterepo function in sshpeer in Mercurial before 3.2.4 allows remote attackers to execute arbitrary commands via a crafted repository name in a clone command.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
pypi	mercurial	>=0 <3.2.4	3.2.4
debian 13	mercurial	>=0 <3.4-1	3.4-1
debian 14	mercurial	>=0 <3.4-1	3.4-1
debian 12	mercurial	>=0 <3.4-1	3.4-1
debian 11	mercurial	>=0 <3.4-1	3.4-1
rpm rhel7	mercurial	-	-
rpm rhel6	mercurial	-	-

Aliases

1. CVE-2014-94622. NVD-2014-94623. OSV-2014-94624. OSV-DEBIAN-2014-94625. GCVE-2014-94626. security.gentoo.org7. SECURITY-TRACKER-CVE-2014-9462

References

1. https://github.com/pypa/advisory-database/tree/main/vulns/mercurial/PYSEC-2015-14.yaml2. http://chargen.matasano.com/chargen/2015/3/17/this-new-vulnerability-mercurial-command-injection-cve-2014-9462.html3. http://lists.opensuse.org/opensuse-updates/2015-03/msg00085.html4. http://mercurial.selenic.com/wiki/WhatsNew5. http://www.debian.org/security/2015/dsa-32576. http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.html

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.