Miggo Logo
Miggo Vulnerability Database
CVE-2017-17458

CVE-2017-17458: Mercurial vulnerable to arbitrary code injection

9.8

CVSS Score
3.0

Basic Information

CVE ID
CVE-2017-17458
GHSA ID
GHSA-6v56-cpg6-3rpx
EPSS Score
0.94714%
CWE
CWE-78
Published
5/13/2022
Updated
9/25/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
mercurialpip< 4.4.14.4.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from Mercurial's handling of Git subrepositories, where a malicious .git/hooks/post-update script could be executed. The functions in the Git subrepo module (gitsubrepo) that process updates or checkouts (e.g., _update, get) are directly responsible for interacting with the subrepo's configuration and hooks. The fixes in Mercurial 4.4.1 (e.g., disallowing symlink traversal and adding subrepo operation restrictions) imply these functions lacked proper validation. The CWE-78 classification confirms the issue involves improper neutralization of OS commands, aligning with the described attack vector.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In M*r*uri*l ***or* *.*.*, it is possi*l* t**t * sp**i*lly m*l*orm** r*pository **n **us* *it su*r*positori*s to run *r*itr*ry *o** in t** *orm o* * `.*it/*ooks/post-up**t*` s*ript ****k** into t** r*pository. Typi**l us* o* M*r*uri*l pr*v*nts *onstr

Reasoning

T** vuln*r**ility st*ms *rom M*r*uri*l's **n*lin* o* *it su*r*positori*s, w**r* * m*li*ious `.*it/*ooks/post-up**t*` s*ript *oul* ** *x**ut**. T** *un*tions in t** *it su*r*po mo*ul* (*itsu*r*po) t**t `pro**ss` up**t*s or ****kouts (*.*., `_up**t*`,