CVE-2017-12836

CVS 1.12.x, when configured to use SSH for remote repositories, might allow remote attackers to execute arbitrary code via a repository URL with a crafted hostname, as demonstrated by "-oProxyCommand=id;localhost:/bar."
References
Link Resource
https://bugzilla.redhat.com/show_bug.cgi?id=1480800 Issue Tracking Patch Third Party Advisory VDB Entry
http://www.ubuntu.com/usn/USN-3399-1 Third Party Advisory
http://www.securityfocus.com/bid/100279 Third Party Advisory VDB Entry
http://www.openwall.com/lists/oss-security/2017/08/11/4 Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2017/08/11/1 Exploit Mailing List Third Party Advisory
http://www.debian.org/security/2017/dsa-3940 Third Party Advisory
http://lists.nongnu.org/archive/html/bug-cvs/2017-08/msg00000.html Exploit Mailing List Vendor Advisory
https://security.gentoo.org/glsa/201709-17 Third Party Advisory
Advertisement

NeevaHost hosting service

Configurations

Configuration 1 (hide)

OR cpe:2.3:a:gnu:cvs:1.12.12:*:*:*:*:*:*:*
cpe:2.3:a:gnu:cvs:1.12.6:*:*:*:*:*:*:*
cpe:2.3:a:gnu:cvs:1.12.3:*:*:*:*:*:*:*
cpe:2.3:a:gnu:cvs:1.12.11:*:*:*:*:*:*:*
cpe:2.3:a:gnu:cvs:1.12.10:*:*:*:*:*:*:*
cpe:2.3:a:gnu:cvs:1.12.9:*:*:*:*:*:*:*
cpe:2.3:a:gnu:cvs:1.12.7:*:*:*:*:*:*:*
cpe:2.3:a:gnu:cvs:1.12.13:*:*:*:*:*:*:*
cpe:2.3:a:gnu:cvs:1.12.5:*:*:*:*:*:*:*
cpe:2.3:a:gnu:cvs:1.12.1:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:o:canonical:ubuntu_linux:17.04:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*

Configuration 3 (hide)

OR cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

Information

Published : 2017-08-24 07:29

Updated : 2019-10-02 17:03


NVD link : CVE-2017-12836

Mitre link : CVE-2017-12836


JSON object : View

Advertisement

dedicated server usa

Products Affected

debian

  • debian_linux

canonical

  • ubuntu_linux

gnu

  • cvs