Critical severity9.8NVD Advisory· Published Oct 29, 2017· Updated Jun 17, 2026
CVE-2017-16228
CVE-2017-16228
Description
Dulwich before 0.18.5, when an SSH subprocess is used, allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-1000116, and CVE-2017-1000117.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
dulwichPyPI | < 0.18.5 | 0.18.5 |
Affected products
4- ghsa-coords3 versionspkg:pypi/dulwichpkg:rpm/opensuse/python-dulwich&distro=openSUSE%20Tumbleweedpkg:rpm/suse/python-dulwich&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2012
< 0.18.5+ 2 more
- (no CPE)range: < 0.18.5
- (no CPE)range: < 0.21.7-1.3
- (no CPE)range: < 0.18.5-4.3.1
Patches
Vulnerability mechanics
References
11- www.dulwich.io/code/dulwich/commit/7116a0cbbda571f7dac863f4b1c00b6e16d6d8d6/nvdIssue TrackingPatchVendor Advisory
- github.com/advisories/GHSA-cwwh-4382-6fwrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-16228ghsaADVISORY
- tracker.debian.org/news/882440nvdIssue TrackingThird Party AdvisoryWEB
- www.dulwich.io/code/dulwich/nvdProductVendor Advisory
- github.com/jelmer/dulwich/commit/7116a0cbbda571f7dac863f4b1c00b6e16d6d8d6ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/dulwich/PYSEC-2017-12.yamlghsaWEB
- web.archive.org/web/20201220231743/https://www.dulwich.io/code/dulwich/commit/7116a0cbbda571f7dac863f4b1c00b6e16d6d8d6ghsaWEB
- web.archive.org/web/20210128154006/https://www.dulwich.io/code/dulwichghsaWEB
- www.dulwich.io/code/dulwichghsaWEB
- www.dulwich.io/code/dulwich/commit/7116a0cbbda571f7dac863f4b1c00b6e16d6d8d6ghsaWEB
News mentions
0No linked articles in our index yet.