Vulnerability CVE-2014-9462

Vulnerability Name:

CVE-2014-9462 (CCN-102525)

Assigned:

2015-01-01

Published:

2015-01-01

Updated:

2018-10-30

Summary:

The _validaterepo function in sshpeer in Mercurial before 3.2.4 allows remote attackers to execute arbitrary commands via a crafted repository name in a clone command.

CVSS v3 Severity:

7.3 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): Low

CVSS v2 Severity:

7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
5.5 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

6.8 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P)
5.0 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

Vulnerability Type:

CWE-20

Vulnerability Consequences:

Gain Access

References:

Source: MISC
Type: Exploit
http://chargen.matasano.com/chargen/2015/3/17/this-new-vulnerability-mercurial-command-injection-cve-2014-9462.html

Source: MITRE
Type: CNA
CVE-2014-9462

Source: SUSE
Type: UNKNOWN
openSUSE-SU-2015:0617

Source: CCN
Type: Mercurial Web site
Release Note

Source: CONFIRM
Type: Vendor Advisory
http://mercurial.selenic.com/wiki/WhatsNew

Source: DEBIAN
Type: UNKNOWN
DSA-3257

Source: CONFIRM
Type: UNKNOWN
http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.html

Source: OSVDB
Type: UNKNOWN
119816

Source: CCN
Type: BID-73688
Mercurial '_validaterepo()' Function Command Injection Vulnerability

Source: XF
Type: UNKNOWN
mercurial-cve20149462-command-exec(102525)

Source: GENTOO
Type: UNKNOWN
GLSA-201612-19

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2014-9462

Vulnerable Configuration:

Configuration 1:

cpe:/o:opensuse:opensuse:13.1:*:*:*:*:*:*:*

OR cpe:/o:opensuse:opensuse:13.2:*:*:*:*:*:*:*

Configuration 2:

cpe:/a:mercurial:mercurial:*:*:*:*:*:*:*:* (Version <= 3.2.3)

Configuration CCN 1:

cpe:/a:mercurial-scm:mercurial:3.2.3:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20149462	V	CVE-2014-9462	2022-09-02
oval:org.opensuse.security:def:10428	P	Security update for MozillaFirefox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:10441	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:10440	P	Security update for MozillaFirefox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:9888	P	Security update for libvirt (Important)	2022-01-11
oval:org.opensuse.security:def:10196	P	Security update for net-snmp (Important)	2021-12-27
oval:org.opensuse.security:def:10432	P	Security update for p11-kit (Important)	2021-12-22
oval:org.opensuse.security:def:9631	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:10377	P	Security update for xen (Moderate)	2021-12-09
oval:org.opensuse.security:def:9821	P	Security update for aaa_base (Moderate)	2021-12-03
oval:org.opensuse.security:def:9619	P	Security update for python-Pygments (Important)	2021-12-01
oval:org.opensuse.security:def:9606	P	Security update for libvirt (Important)	2021-10-27
oval:org.opensuse.security:def:10355	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:10352	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:10160	P	Security update for MozillaFirefox (Important)	2021-10-11
oval:org.opensuse.security:def:9597	P	Security update for MozillaFirefox (Important)	2021-10-11
oval:org.opensuse.security:def:26142	P	Security update for apache2 (Important)	2021-10-06
oval:org.opensuse.security:def:9404	P	Security update for grilo (Important)	2021-10-06
oval:org.opensuse.security:def:9589	P	Security update for openssl-1_1 (Low)	2021-09-07
oval:org.opensuse.security:def:10150	P	Security update for xen (Important)	2021-09-03
oval:org.opensuse.security:def:10147	P	Security update for xerces-c (Important)	2021-09-02
oval:org.opensuse.security:def:10333	P	Security update for dovecot23 (Moderate)	2021-08-31
oval:org.opensuse.security:def:9382	P	Security update for libass (Important)	2021-08-20
oval:org.opensuse.security:def:10138	P	Security update for php7 (Important)	2021-08-20
oval:org.opensuse.security:def:10128	P	Security update for MozillaFirefox (Important)	2021-08-17
oval:org.opensuse.security:def:9374	P	Security update for MozillaFirefox (Important)	2021-08-17
oval:org.opensuse.security:def:10689	P	Security update for bluez (Moderate)	2021-07-22
oval:org.opensuse.security:def:10120	P	Security update for curl (Moderate)	2021-07-21
oval:org.opensuse.security:def:11101	P	Security update for fossil (Moderate)	2021-07-17
oval:org.opensuse.security:def:26078	P	Security update for libxml2 (Moderate)	2021-06-18
oval:org.opensuse.security:def:9531	P	Security update for squid (Important)	2021-06-11
oval:org.opensuse.security:def:10277	P	Security update for spice-gtk (Moderate)	2021-06-10
oval:org.opensuse.security:def:9727	P	Security update for ucode-intel (Important)	2021-06-10
oval:org.opensuse.security:def:16420	P	eog-devel-3.20.4-7.7 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:16627	P	openexr-devel-2.1.0-6.3.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:11413	P	libvte9-0.28.2-17.83 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:11391	P	libproxy1-0.4.11-11.2 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:16083	P	mercurial-2.8.2-9.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:16412	P	cyrus-sasl-devel-2.1.26-8.7.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:16454	P	gwenhywfar-devel-4.9.0beta-3.3.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:16663	P	virglrenderer-devel-0.5.0-11.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:16333	P	mercurial-2.8.2-14.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:26067	P	Security update for MozillaFirefox (Important)	2021-06-08
oval:org.opensuse.security:def:16539	P	libmspack-devel-0.4-14.4 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:124621	P	mercurial-2.8.2-15.13.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:36517	P	mercurial-2.3.2-0.9.2 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:16615	P	mercurial-2.8.2-15.13.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:16596	P	libusbmuxd-devel-1.0.10-2.3 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:15867	P	mercurial-2.8.2-3.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:10096	P	Security update for gstreamer-plugins-bad (Important)	2021-06-08
oval:org.opensuse.security:def:26066	P	Security update for gstreamer-plugins-bad (Important)	2021-06-07
oval:org.opensuse.security:def:9712	P	Security update for ceph (Important)	2021-06-02
oval:org.opensuse.security:def:9512	P	Security update for curl (Moderate)	2021-05-31
oval:org.opensuse.security:def:10258	P	Security update for the Linux Kernel (Important)	2021-05-18
oval:org.opensuse.security:def:10071	P	Security update for bind (Important)	2021-05-04
oval:org.opensuse.security:def:9497	P	Security update for stunnel (Important)	2021-05-03
oval:org.opensuse.security:def:9695	P	Security update for xen (Important)	2021-04-30
oval:org.opensuse.security:def:10243	P	Security update for libnettle (Important)	2021-04-28
oval:org.opensuse.security:def:9682	P	Security update for tomcat (Important)	2021-04-01
oval:org.opensuse.security:def:10419	P	Security update for ruby2.5 (Important)	2021-03-24
oval:org.opensuse.security:def:9673	P	Security update for ldb (Important)	2021-03-24
oval:org.opensuse.security:def:9869	P	Security update for gnutls (Important)	2021-03-24
oval:org.opensuse.security:def:9665	P	Security update for python (Moderate)	2021-03-11
oval:org.opensuse.security:def:9847	P	Security update for glibc (Important)	2021-02-26
oval:org.opensuse.security:def:9846	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:9450	P	Security update for webkit2gtk3 (Important)	2021-02-24
oval:org.opensuse.security:def:9839	P	Security update for wpa_supplicant (Important)	2021-02-11
oval:org.opensuse.security:def:10664	P	Security update for the Linux Kernel (Important)	2021-02-09
oval:org.opensuse.security:def:9746	P	Security update for go1.14 (Moderate)	2021-01-26
oval:org.opensuse.security:def:10589	P	Security update for gimp (Important)	2020-12-28
oval:org.opensuse.security:def:16896	P	libsvn_auth_kwallet-1-0-1.8.10-24.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:4091	P	mercurial-2.8.2-15.13.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:16773	P	libXext-devel-1.3.2-4.3.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:16862	P	libpacemaker-devel-1.1.21+20190809.bf34b44fa-1.17 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:16805	P	libcurl-devel-7.60.0-9.8 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:16874	P	libptexenc1-1.3.2dev-22.3.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:16927	P	mercurial-2.8.2-15.13.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:26408	P	Security update for phpMyAdmin (Moderate)	2020-12-01
oval:org.opensuse.security:def:26745	P	libexiv2-4 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26669	P	apache2-mod_perl on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27014	P	perl-libwww-perl on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26842	P	xen on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27116	P	emacs on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:9977	P	python-pywbem on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:10548	P	libssh2-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:10508	P	libipa_hbac-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26492	P	Security update for icingaweb2 (Important)	2020-12-01
oval:org.opensuse.security:def:10731	P	libexpat-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:17560	P	Security update for mercurial (Moderate)	2020-12-01
oval:org.opensuse.security:def:26396	P	Security update for chromium (Important)	2020-12-01
oval:org.opensuse.security:def:26726	P	kdelibs4 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27063	P	xterm on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:17534	P	Security update for cups, cups154 (Moderate)	2020-12-01
oval:org.opensuse.security:def:27480	P	libreoffice-testtool on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27160	P	kdenetwork4-filesharing on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:9996	P	sudo on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:10820	P	mercurial on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:10555	P	libtool on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:10798	P	libtasn1-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26384	P	Security update for chromium (Moderate)	2020-12-01
oval:org.opensuse.security:def:26270	P	Security update for mariadb-100 (Moderate)	2020-12-01
oval:org.opensuse.security:def:26643	P	systemtap on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:10740	P	libgssglue-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26460	P	Security update for chromium (Important)	2020-12-01
oval:org.opensuse.security:def:26810	P	pure-ftpd on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26784	P	mono-core on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27515	P	mercurial on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27798	P	Security update for libmpfr	2020-12-01
oval:org.opensuse.security:def:9915	P	libsmi on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:9897	P	libnm-glib-vpn1 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:10570	P	mercurial on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26385	P	Security update for go (Moderate)	2020-12-01
oval:org.opensuse.security:def:11079	P	libtool on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26351	P	Security update for mongodb (Moderate)	2020-12-01
oval:org.opensuse.security:def:26696	P	file-32bit on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:10753	P	libksba-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26588	P	libicu-32bit on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26961	P	libopenssl0_9_8 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26798	P	pam_ldap on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27102	P	cups on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27833	P	Security update for mercurial	2020-12-01
oval:org.opensuse.security:def:9962	P	perl on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:9910	P	libpython2_7-1_0 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:10462	P	libHX-devel on GA media (Moderate)	2020-12-01
oval:org.cisecurity:def:21	P	DSA-3257-1 -- mercurial -- security update	2016-02-08
oval:com.ubuntu.precise:def:20149462000	V	CVE-2014-9462 on Ubuntu 12.04 LTS (precise) - medium.	2015-03-31
oval:com.ubuntu.trusty:def:20149462000	V	CVE-2014-9462 on Ubuntu 14.04 LTS (trusty) - medium.	2015-03-31

BACK