VDB
PYSEC-2017-91
PYSEC-2017-91
PUBLISHED
CVSS 8.600000381469727 HIGH
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and consequently execute arbitrary code, by using --debugger as a repository name.
Risk Scores
CVSS v4.0
8.600000381469727
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| PyPI | mercurial | 1.0.2, 0, 0.8.1 |
Timeline
- Jun 6, 2017 CVE Published
- Nov 8, 2023 CVE Updated
- May 1, 2026 Distribution Patch
- May 1, 2026 Distribution Patch
- May 1, 2026 Security Advisory
- May 1, 2026 Security Advisory
- May 1, 2026 Security Advisory
References
- https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.1.3_.282017-4-18.29 url
- https://www.mercurial-scm.org/repo/hg/rev/77eaf9539499 url
- http://www.securityfocus.com/bid/99123 url
- https://github.com/advisories/GHSA-ghjx-3jg5-h6r2 advisory
- https://bugs.debian.org/861243 advisory
- https://security.gentoo.org/glsa/201709-18 advisory
- http://www.debian.org/security/2017/dsa-3963 advisory
- https://access.redhat.com/errata/RHSA-2017:1576 advisory
- https://lists.debian.org/debian-lts-announce/2018/07/msg00005.html advisory