Critical severityNVD Advisory· Published Mar 31, 2015· Updated May 6, 2026

CVE-2014-9462

Description

The _validaterepo function in sshpeer in Mercurial before 3.2.4 allows remote attackers to execute arbitrary commands via a crafted repository name in a clone command.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
mercurialPyPI	< 3.2.4	3.2.4

Affected products

Mercurial/Mercurial
cpe:2.3:a:mercurial:mercurial:*:*:*:*:*:*:*:*
Range: <=3.2.3
OpenSUSE/openSUSE2 versions
cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

chargen.matasano.com/chargen/2015/3/17/this-new-vulnerability-mercurial-command-injection-cve-2014-9462.htmlnvdExploitWEB
mercurial.selenic.com/wiki/WhatsNewnvdVendor AdvisoryWEB
github.com/advisories/GHSA-3pmw-h7j4-rf54ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2014-9462ghsaADVISORY
lists.opensuse.org/opensuse-updates/2015-03/msg00085.htmlnvdWEB
www.debian.org/security/2015/dsa-3257nvdWEB
www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.htmlnvdWEB
github.com/pypa/advisory-database/tree/main/vulns/mercurial/PYSEC-2015-14.yamlghsaWEB
security.gentoo.org/glsa/201612-19nvdWEB
www.osvdb.org/119816nvd

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000