High severity7.5NVD Advisory· Published Aug 24, 2017· Updated May 13, 2026
CVE-2017-12836
CVE-2017-12836
Description
CVS 1.12.x, when configured to use SSH for remote repositories, might allow remote attackers to execute arbitrary code via a repository URL with a crafted hostname, as demonstrated by "-oProxyCommand=id;localhost:/bar."
Affected products
15cpe:2.3:a:gnu:cvs:1.12.1:*:*:*:*:*:*:*+ 9 more
- cpe:2.3:a:gnu:cvs:1.12.1:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:cvs:1.12.3:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:cvs:1.12.5:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:cvs:1.12.6:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:cvs:1.12.7:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:cvs:1.12.9:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:cvs:1.12.10:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:cvs:1.12.11:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:cvs:1.12.12:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:cvs:1.12.13:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*+ 2 more
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:17.04:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- bugzilla.redhat.com/show_bug.cginvdIssue TrackingPatchThird Party AdvisoryVDB Entry
- lists.nongnu.org/archive/html/bug-cvs/2017-08/msg00000.htmlnvdExploitMailing ListVendor Advisory
- www.openwall.com/lists/oss-security/2017/08/11/1nvdExploitMailing ListThird Party Advisory
- www.debian.org/security/2017/dsa-3940nvdThird Party Advisory
- www.openwall.com/lists/oss-security/2017/08/11/4nvdMailing ListThird Party Advisory
- www.securityfocus.com/bid/100279nvdThird Party AdvisoryVDB Entry
- www.ubuntu.com/usn/USN-3399-1nvdThird Party Advisory
- security.gentoo.org/glsa/201709-17nvdThird Party Advisory
News mentions
0No linked articles in our index yet.