Critical severity9.8NVD Advisory· Published Aug 11, 2017· Updated Jun 17, 2026
CVE-2017-9800
CVE-2017-9800
Description
A maliciously constructed svn+ssh:// URL would cause Subversion clients before 1.8.19, 1.9.x before 1.9.7, and 1.10.0.x through 1.10.0-alpha3 to run an arbitrary shell command. Such a URL could be generated by a malicious server, by a malicious user committing to a honest server (to attack another user of that server's repositories), or by a proxy server. The vulnerability affects all clients, including those that use file://, http://, and plain (untunneled) svn://.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
20cpe:2.3:a:apache:subversion:*:*:*:*:*:*:*:*+ 13 more
- cpe:2.3:a:apache:subversion:*:*:*:*:*:*:*:*range: <=1.8.18
- cpe:2.3:a:apache:subversion:1.10.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:subversion:1.10.0:alpha1:*:*:*:*:*:*
- cpe:2.3:a:apache:subversion:1.10.0:alpha2:*:*:*:*:*:*
- cpe:2.3:a:apache:subversion:1.10.0:alpha3:*:*:*:*:*:*
- cpe:2.3:a:apache:subversion:1.9.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:subversion:1.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:subversion:1.9.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:subversion:1.9.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:subversion:1.9.4:*:*:*:*:*:*:*
- cpe:2.3:a:apache:subversion:1.9.5:*:*:*:*:*:*:*
- cpe:2.3:a:apache:subversion:1.9.6:*:*:*:*:*:*:*
- (no CPE)range: <1.8.19, <1.9.7, <=1.10.0-alpha3
- (no CPE)range: 1.0.0 to 1.8.18
- osv-coords6 versionspkg:hackage/git-annexpkg:rpm/opensuse/subversion&distro=openSUSE%20Tumbleweedpkg:rpm/suse/subversion&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2011%20SP4pkg:rpm/suse/subversion&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP2pkg:rpm/suse/subversion&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP3pkg:rpm/suse/subversion&distro=SUSE%20Studio%20Onsite%201.3
< 6.20170818+ 5 more
- (no CPE)range: < 6.20170818
- (no CPE)range: < 1.14.1-1.11
- (no CPE)range: < 1.6.17-1.36.9.1
- (no CPE)range: < 1.8.19-25.3.1
- (no CPE)range: < 1.8.19-25.3.1
- (no CPE)range: < 1.6.17-1.36.9.1
Patches
Vulnerability mechanics
References
13- www.securityfocus.com/bid/100259nvdThird Party AdvisoryVDB Entry
- www.securitytracker.com/id/1039127nvdThird Party AdvisoryVDB Entry
- subversion.apache.org/security/CVE-2017-9800-advisory.txtnvdVendor Advisory
- packetstormsecurity.com/files/143722/Apache-Subversion-Arbitrary-Code-Execution.htmlnvd
- www.debian.org/security/2017/dsa-3932nvd
- www.securityfocus.com/archive/1/540999/100/0/threadednvd
- access.redhat.com/errata/RHSA-2017:2480nvd
- confluence.atlassian.com/sourcetreekb/sourcetree-security-advisory-2017-08-11-933099891.htmlnvd
- lists.apache.org/thread.html/cb607dc2f13bab9769147759ddccb14a4f9d8e5cdcad5e99c0d03b63%40%3Cannounce.apache.org%3Envd
- lists.apache.org/thread.html/d8cf53affd700dfce90bad4968fb8b1dfb69cf7c443052c70398ff76%40%3Ccommits.subversion.apache.org%3Envd
- security.gentoo.org/glsa/201709-09nvd
- support.apple.com/HT208103nvd
- www.oracle.com/security-alerts/cpuoct2020.htmlnvd
News mentions
0No linked articles in our index yet.