Vulnerability Name:

CVE-2017-16228 (CCN-134207)

Assigned:2017-10-29
Published:2017-10-29
Updated:2019-10-03
Summary:Dulwich before 0.18.5, when an SSH subprocess is used, allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-1000116, and CVE-2017-1000117.
CVSS v3 Severity:9.8 Critical (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
8.5 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
9.8 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
8.5 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
10.0 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
Vulnerability Type:CWE-noinfo
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2017-16228

Source: XF
Type: UNKNOWN
dulwich-cve201716228-commands-exec(134207)

Source: CCN
Type: Debian Mailing List, Sun, 29 Oct 2017 17:51:22 +0000
Accepted dulwich 0.18.5-1 (source amd64) into unstable

Source: MISC
Type: Issue Tracking, Third Party Advisory
https://tracker.debian.org/news/882440

Source: CCN
Type: Dulwich Web site
Dulwich

Source: MISC
Type: Product, Vendor Advisory
https://www.dulwich.io/code/dulwich/

Source: MISC
Type: Issue Tracking, Patch, Vendor Advisory
https://www.dulwich.io/code/dulwich/commit/7116a0cbbda571f7dac863f4b1c00b6e16d6d8d6/

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2017-16228

Vulnerable Configuration:Configuration 1:
  • cpe:/a:dulwich_project:dulwich:*:*:*:*:*:*:*:* (Version <= 0.18.4)

  • Configuration CCN 1:
  • cpe:/a:dulwich_project:dulwich:0.18.4:*:*:*:*:*:*:*

  • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:201716228
    V
    CVE-2017-16228
    2023-06-22
    oval:org.opensuse.security:def:7771
    P
    python3-dulwich-0.20.24-150400.1.4 on GA media (Moderate)
    2023-06-12
    oval:org.opensuse.security:def:3169
    P
    libexempi3-2.2.1-5.7.1 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:94799
    P
    python3-dulwich-0.20.24-150400.1.4 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:113264
    P
    python36-dulwich-0.20.24-1.3 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:106676
    P
    python36-dulwich-0.20.24-1.3 on GA media (Moderate)
    2021-10-01
    oval:org.opensuse.security:def:14015
    P
    python-cupshelpers-1.5.7-7.5 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:14207
    P
    libXxf86dga1-1.1.4-3.58 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:14127
    P
    ecryptfs-utils-103-7.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:14858
    P
    cracklib-2.9.0-7.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:13882
    P
    libXvMC1-1.0.8-3.56 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:13997
    P
    pam-modules-12.1-23.12 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:14196
    P
    libXi6-1.7.4-17.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:14034
    P
    squashfs-4.3-6.2 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:14220
    P
    libecpg6-9.6.3-2.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:14152
    P
    gpg2-2.0.24-8.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:13860
    P
    krb5-1.12.5-39.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:14880
    P
    elfutils-0.158-7.7.2 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:13950
    P
    libqt4-32bit-4.8.6-7.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:13852
    P
    jakarta-commons-fileupload-1.1.1-120.113 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:38609
    P
    Security update for ImageMagick (Moderate)
    2021-02-23
    oval:org.opensuse.security:def:37871
    P
    libass5 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:39400
    P
    Security update for python-dulwich (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:38092
    P
    w3m on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:37859
    P
    libXrender1 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:38251
    P
    libXext6 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:38676
    P
    libgypsy0 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:38501
    P
    tomcat on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:37860
    P
    libXt6 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:39358
    P
    Security update for the Linux Kernel (Important)
    2020-12-01
    oval:org.opensuse.security:def:37955
    P
    libruby2_1-2_1 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:38193
    P
    ghostscript on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:38648
    P
    libXrender1 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:38341
    P
    libospf0 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:38720
    P
    libqt4 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:38560
    P
    clamav on GA media (Moderate)
    2020-12-01
    oval:com.ubuntu.bionic:def:2017162280000000
    V
    CVE-2017-16228 on Ubuntu 18.04 LTS (bionic) - low.
    2017-10-29
    oval:com.ubuntu.artful:def:201716228000
    V
    CVE-2017-16228 on Ubuntu 17.10 (artful) - untriaged.
    2017-10-29
    oval:com.ubuntu.xenial:def:201716228000
    V
    CVE-2017-16228 on Ubuntu 16.04 LTS (xenial) - low.
    2017-10-29
    oval:com.ubuntu.xenial:def:2017162280000000
    V
    CVE-2017-16228 on Ubuntu 16.04 LTS (xenial) - low.
    2017-10-29
    oval:com.ubuntu.bionic:def:201716228000
    V
    CVE-2017-16228 on Ubuntu 18.04 LTS (bionic) - low.
    2017-10-29
    oval:com.ubuntu.disco:def:2017162280000000
    V
    CVE-2017-16228 on Ubuntu 19.04 (disco) - low.
    2017-10-29
    oval:com.ubuntu.cosmic:def:201716228000
    V
    CVE-2017-16228 on Ubuntu 18.10 (cosmic) - low.
    2017-10-29
    oval:com.ubuntu.cosmic:def:2017162280000000
    V
    CVE-2017-16228 on Ubuntu 18.10 (cosmic) - low.
    2017-10-29
    oval:com.ubuntu.trusty:def:201716228000
    V
    CVE-2017-16228 on Ubuntu 14.04 LTS (trusty) - low.
    2017-10-29
    BACK
    dulwich_project dulwich *
    dulwich_project dulwich 0.18.4