Miggo Logo
Miggo Vulnerability Database
CVE-2017-1000116

CVE-2017-1000116: Mercurial is vulnerable to shell injection attack

9.8

CVSS Score
3.0

Basic Information

CVE ID
CVE-2017-1000116
GHSA ID
GHSA-3qmg-c9vc-r47j
EPSS Score
0.87276%
CWE
CWE-78
Published
5/13/2022
Updated
9/25/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
mercurialpip< 4.34.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper sanitization of hostnames in SSH URLs. The _make_ssh_cmd function is responsible for building the SSH connection command. Prior to version 4.3, this function likely concatenated raw hostname input into the command string without proper shell escaping. Security advisories explicitly mention SSH command injection through malicious hostnames, and standard secure coding practices would require adding shell quoting (e.g., via util.shellquote()) around the hostname parameter - a fix implemented in the patched version 4.3.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

M*r*uri*l prior to *.* *i* not ***qu*t*ly s*nitiz* *ostn*m*s p*ss** to ss*, l***in* to possi*l* s**ll-inj**tion *tt**ks.

Reasoning

T** vuln*r**ility st*ms *rom improp*r s*nitiz*tion o* *ostn*m*s in SS* URLs. T** _m*k*_ss*_*m* *un*tion is r*sponsi*l* *or *uil*in* t** SS* *onn**tion *omm*n*. Prior to v*rsion *.*, t*is *un*tion lik*ly *on**t*n*t** r*w *ostn*m* input into t** *omm*n