VDB

CVE-2017-17458

CVE-2017-17458 PUBLISHED

In Mercurial before 4.4.1, it is possible that a specially malformed repository can cause Git subrepositories to run arbitrary code in the form of a .git/hooks/post-update script checked into the repository. Typical use of Mercurial prevents construction of such repositories, but they can be created programmatically.

EPSS 17.25% · 95.2th percentile

Risk Scores

EPSS Score
17.25%
95.2th percentile

Affected Products

VendorProductVersions
Ubuntu:14.04:LTSmercurial2.8.2-1ubuntu1.3, 2.6.3-1, 2.7.2-1
Ubuntu:16.04:LTSmercurial3.4-1ubuntu2, 3.6.2-1ubuntu2, 3.7.3-1ubuntu1

Timeline

  • CVE Published
  • Sep 26, 2019 PoC Published
  • Apr 14, 2021 EPSS Score
  • Feb 4, 2022 EPSS Score
  • Mar 17, 2025 EPSS Score
  • Mar 22, 2025 EPSS Score
  • Mar 23, 2025 EPSS Score
  • Mar 27, 2025 EPSS Score
  • Mar 29, 2025 EPSS Score
  • Mar 30, 2025 EPSS Score
  • Mar 31, 2025 EPSS Score
  • Apr 1, 2025 EPSS Score
Open in Interactive Console →
$ Console Community · 100/wk Open console ›