QwikSec

Security Database

CVE

CWE

Training

CVE-2017-9800

Published: Aug 11, 2017

Modified: Sep 16, 2024

PUBLISHED

Description

A maliciously constructed svn+ssh:// URL would cause Subversion clients before 1.8.19, 1.9.x before 1.9.7, and 1.10.0.x through 1.10.0-alpha3 to run an arbitrary shell command. Such a URL could be generated by a malicious server, by a malicious user committing to a honest server (to attack another user of that server's repositories), or by a proxy server. The vulnerability affects all clients, including those that use file://, http://, and plain (untunneled) svn://.

Vendor	Product	Versions
Apache Software Foundation	Apache Subversion	affected `1.0.0 to 1.8.18` affected `1.9.0 to 1.9.6`

References

[announce] 20170810 [SECURITY][ANNOUNCE] Apache Subversion 1.9.7 released

mailing-list

x_refsource_MLIST

vdb-entry

x_refsource_BID

20170810 [SECURITY][ANNOUNCE] Apache Subversion 1.9.7 released

mailing-list

x_refsource_BUGTRAQ

vendor-advisory

x_refsource_REDHAT

vdb-entry

x_refsource_SECTRACK

vendor-advisory

x_refsource_GENTOO

vendor-advisory

x_refsource_DEBIAN

[subversion-commits] 20190830 svn commit: r1866117 - in /subversion/site/publish/docs/community-guide: how-to-roll-releases-in-private.txt issues.part.html

mailing-list

x_refsource_MLIST

https://www.oracle.com/security-alerts/cpuoct2020.html

x_refsource_MISC

https://confluence.atlassian.com/sourcetreekb/sourcetree-security-advisory-2017-08-11-933099891.html

x_refsource_CONFIRM

https://support.apple.com/HT208103

x_refsource_CONFIRM

https://subversion.apache.org/security/CVE-2017-9800-advisory.txt

x_refsource_CONFIRM

http://packetstormsecurity.com/files/143722/Apache-Subversion-Arbitrary-Code-Execution.html

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.