CVE-2017-17458 — Vulnetix

Try Vulnetix Request Demo

CVE-2017-17458 PUBLISHED

In Mercurial before 4.4.1, it is possible that a specially malformed repository can cause Git subrepositories to run arbitrary code in the form of a .git/hooks/post-update script checked into the repository. Typical use of Mercurial prevents construction of such repositories, but they can be created programmatically.

EPSS 17.25% · 95.0th percentile

Risk Scores

EPSS Score

17.25%

95.0th percentile

Affected Products

Vendor	Product	Versions
Ubuntu:14.04:LTS	mercurial	0, 2.6.3-1, 2.7.2-1
Ubuntu:16.04:LTS	mercurial	0, 3.4-1ubuntu2, 3.6.2-1ubuntu2

Timeline

CVE Published
Sep 26, 2019 PoC Published
Apr 14, 2021 EPSS Score
Feb 4, 2022 EPSS Score
Mar 17, 2025 EPSS Score
Mar 22, 2025 EPSS Score
Mar 23, 2025 EPSS Score
Mar 27, 2025 EPSS Score
Mar 29, 2025 EPSS Score
Mar 30, 2025 EPSS Score
Mar 31, 2025 EPSS Score
Apr 1, 2025 EPSS Score

References

https://ubuntu.com/security/CVE-2017-17458 third-party-advisory
https://bz.mercurial-scm.org/show_bug.cgi?id=5730 third-party-advisory
https://www.mercurial-scm.org/pipermail/mercurial-devel/2017-November/107333.html third-party-advisory
https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.4.1_.282017-11-07.29 third-party-advisory
https://www.cve.org/CVERecord?id=CVE-2017-17458 third-party-advisory

Open in Interactive Console →