CVE-2017-14176
Aliases:PYSEC-2017-149GHSA-jjxg-hpm7-g95f
Advisory lineage Upstream: 0 Downstream: 5
Modified
Published: 27 Nov 2017, 10:00
Last modified:05 Aug 2024, 19:20
Vulnerability Summary
Overall Risk (default)
high
70/100 CVSS Score
9.3 HIGH
v2.0 (nvd)
EPSS Score
1.76% LOW
2% probability 0.00%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
27 Nov 2017, 10:00
Published
Vulnerability first disclosed
05 Aug 2024, 19:20
Last Modified
Vulnerability information updated
Description
Bazaar through 2.7.0, when Subprocess SSH is used, allows remote attackers to execute arbitrary commands via a bzr+ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-16228, CVE-2017-1000116, and CVE-2017-1000117.
CVSS Metrics
- v3.0•HIGH•Score: 8.8CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- v2.0•HIGH•Score: 9.3AV:N/AC:M/Au:N/C:C/I:C/A:C
EPSS Trends
Current EPSS score: 1.76%• Percentile: 83%
Affected Systems
- canonical•bazaar
≤ 2.7.0
- canonical•ubuntu_linux
14.04 | 16.04 | 17.04
- debian•debian_linux
8.0 | 9.0
- PyPI•bzr
≤ 2.7.0
References (9)
- https://www.debian.org/security/2017/dsa-4052
- https://bugzilla.suse.com/show_bug.cgi?id=1058214
- http://www.ubuntu.com/usn/usn-3411-1
- https://bugs.debian.org/874429
- http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-14176.html
- https://bugs.launchpad.net/bzr/+bug/1710979
- https://bugzilla.redhat.com/show_bug.cgi?id=1486685
- https://nvd.nist.gov/vuln/detail/CVE-2017-14176
- https://github.com/pypa/advisory-database/tree/main/vulns/bzr/PYSEC-2017-149.yaml