CVE-2014-9462

Published: Mar 31, 2015Modified: May 6, 2026

7.5

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability: 10.0 / Impact: 6.4

Source: NVD

Description

The _validaterepo function in sshpeer in Mercurial before 3.2.4 allows remote attackers to execute arbitrary commands via a crafted repository name in a clone command.

Affected (3)

Products: Opensuse: Opensuse · Mercurial: Mercurial

1 product

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Opensuse Opensuse	Version 13.1
Opensuse Opensuse	Version 13.2

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Mercurial Mercurial	Up to 3.2.3

Related CWEs

CWE-20

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References (14)

http://chargen.matasano.com/chargen/2015/3/17/this-new-vulnerability-mercurial-command-injection-cve-2014-9462.html

Source: cve@mitre.org

Exploit

http://lists.opensuse.org/opensuse-updates/2015-03/msg00085.html

Source: cve@mitre.org

http://mercurial.selenic.com/wiki/WhatsNew

Source: cve@mitre.org

Vendor Advisory

http://www.debian.org/security/2015/dsa-3257

Source: cve@mitre.org

http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.html

Source: cve@mitre.org

http://www.osvdb.org/119816

Source: cve@mitre.org

https://security.gentoo.org/glsa/201612-19

Source: cve@mitre.org

http://chargen.matasano.com/chargen/2015/3/17/this-new-vulnerability-mercurial-command-injection-cve-2014-9462.html