What is the severity of CVE-2017-9462?

CVE-2017-9462 is considered a medium severity vulnerability because it allows remote authenticated users to execute arbitrary code.

How do I fix CVE-2017-9462?

To fix CVE-2017-9462, upgrade Mercurial to version 4.1.3 or later.

What software is affected by CVE-2017-9462?

CVE-2017-9462 affects Mercurial versions prior to 4.1.3, specifically on platforms like Debian and Red Hat Enterprise Linux.

What type of attack does CVE-2017-9462 enable?

CVE-2017-9462 enables remote authenticated users to launch the Python debugger, potentially leading to arbitrary code execution.

Is CVE-2017-9462 present in the latest versions of Mercurial?

No, CVE-2017-9462 is not present in Mercurial version 4.1.3 and later, as it has been patched.

Vulnerability/
CVE-2017-9462

critical

CWE

732

6/6/2017

13/7/2018

1/10/2024

CVE-2017-9462

First published: Tue Jun 06 2017(Updated: )

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and consequently execute arbitrary code, by using --debugger as a repository name.

Credit: cve@mitre.org cve@mitre.org

Affected Software	Affected Version	How to fix
redhat/mercurial	<4.1.3	4.1.3
pip/mercurial	<4.1.3	4.1.3
Mercurial	<4.1.3
Debian Linux	=8.0
Debian Linux	=9.0
Red Hat Enterprise Linux Desktop	=6.0
Red Hat Enterprise Linux Desktop	=7.0
Red Hat Enterprise Linux Server	=6.0
Red Hat Enterprise Linux Server	=7.0
Red Hat Enterprise Linux Server	=7.3
Red Hat Enterprise Linux Server	=7.4
Red Hat Enterprise Linux Server	=7.6
Red Hat Enterprise Linux Server	=7.3
Red Hat Enterprise Linux Server	=7.4
Red Hat Enterprise Linux Server	=7.5
Red Hat Enterprise Linux Server	=7.6
Red Hat Enterprise Linux Server	=7.3
Red Hat Enterprise Linux Server	=7.6
Red Hat Enterprise Linux Workstation	=6.0
Red Hat Enterprise Linux Workstation	=7.0

Remedy

https://bugs.debian.org/861243

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2017-9462?
CVE-2017-9462 is considered a medium severity vulnerability because it allows remote authenticated users to execute arbitrary code.
How do I fix CVE-2017-9462?
To fix CVE-2017-9462, upgrade Mercurial to version 4.1.3 or later.
What software is affected by CVE-2017-9462?
CVE-2017-9462 affects Mercurial versions prior to 4.1.3, specifically on platforms like Debian and Red Hat Enterprise Linux.
What type of attack does CVE-2017-9462 enable?
CVE-2017-9462 enables remote authenticated users to launch the Python debugger, potentially leading to arbitrary code execution.
Is CVE-2017-9462 present in the latest versions of Mercurial?
No, CVE-2017-9462 is not present in Mercurial version 4.1.3 and later, as it has been patched.

agent/type
agent/first-publish-date
collector/redhat-bugzilla
source/Red Hat
alias/CVE-2017-9462
agent/software-canonical-lookup
agent/weakness
agent/remedy
agent/description
collector/github-advisory-latest
source/GitHub
alias/GHSA-ghjx-3jg5-h6r2
agent/references
agent/severity
agent/last-modified-date
agent/author
agent/event
collector/github-advisory
agent/trending
agent/source
collector/nvd-cve
source/NVD
agent/software-canonical-lookup-request
agent/softwarecombine
agent/tags
collector/nvd-index
package-manager/redhat
package-manager/pip
vendor/mercurial
canonical/mercurial
vendor/debian
canonical/debian linux
version/debian linux/8.0
version/debian linux/9.0
vendor/redhat
canonical/red hat enterprise linux desktop
version/red hat enterprise linux desktop/6.0
version/red hat enterprise linux desktop/7.0
canonical/red hat enterprise linux server
version/red hat enterprise linux server/6.0
version/red hat enterprise linux server/7.0
version/red hat enterprise linux server/7.3
version/red hat enterprise linux server/7.4
version/red hat enterprise linux server/7.6
version/red hat enterprise linux server/7.5
canonical/red hat enterprise linux workstation
version/red hat enterprise linux workstation/6.0
version/red hat enterprise linux workstation/7.0