Fluid Attacks Database

Description

Mercurial has Incorrect Permission Assignment for Critical Resource In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and consequently execute arbitrary code, by using --debugger as a repository name.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
pypi	mercurial	>=0 <4.1.3	4.1.3
debian 13	mercurial	>=0 <4.3.1-1	4.3.1-1
debian 12	mercurial	>=0 <4.3.1-1	4.3.1-1
debian 11	mercurial	>=0 <4.3.1-1	4.3.1-1
rpm rhel6	mercurial	<0:1.4-5.el6_9	0:1.4-5.el6_9
debian 14	mercurial	>=0 <4.3.1-1	4.3.1-1
rpm rhel7	mercurial	<0:2.6.2-7.el7_3	0:2.6.2-7.el7_3

Aliases

1. CVE-2017-94622. NVD-2017-94623. OSV-2017-94624. OSV-DEBIAN-2017-94625. GHSA-ghjx-3jg5-h6r26. GCVE-2017-94627. access.redhat.com8. lists.debian.org9. security.gentoo.org10. SECURITY-TRACKER-CVE-2017-9462

References

1. https://bugs.debian.org/8612432. https://github.com/pypa/advisory-database/tree/main/vulns/mercurial/PYSEC-2017-91.yaml3. https://web.archive.org/web/20200227162318/http://www.securityfocus.com/bid/991234. https://www.mercurial-scm.org/repo/hg/rev/77eaf95394995. https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.1.3_.282017-4-18.296. http://www.debian.org/security/2017/dsa-39637. https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/ssh/mercurial_ssh_exec.rb

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.