Critical severity9.8NVD Advisory· Published Aug 11, 2017· Updated May 13, 2026

CVE-2017-9800

Description

A maliciously constructed svn+ssh:// URL would cause Subversion clients before 1.8.19, 1.9.x before 1.9.7, and 1.10.0.x through 1.10.0-alpha3 to run an arbitrary shell command. Such a URL could be generated by a malicious server, by a malicious user committing to a honest server (to attack another user of that server's repositories), or by a proxy server. The vulnerability affects all clients, including those that use file://, http://, and plain (untunneled) svn://.

Affected products

Apache/Subversion12 versions
cpe:2.3:a:apache:subversion:*:*:*:*:*:*:*:*+ 11 more
- cpe:2.3:a:apache:subversion:*:*:*:*:*:*:*:*range: <=1.8.18
- cpe:2.3:a:apache:subversion:1.10.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:subversion:1.10.0:alpha1:*:*:*:*:*:*
- cpe:2.3:a:apache:subversion:1.10.0:alpha2:*:*:*:*:*:*
- cpe:2.3:a:apache:subversion:1.10.0:alpha3:*:*:*:*:*:*
- cpe:2.3:a:apache:subversion:1.9.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:subversion:1.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:subversion:1.9.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:subversion:1.9.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:subversion:1.9.4:*:*:*:*:*:*:*
- cpe:2.3:a:apache:subversion:1.9.5:*:*:*:*:*:*:*
- cpe:2.3:a:apache:subversion:1.9.6:*:*:*:*:*:*:*
Apache Software Foundation/Apache Subversionv5
Range: 1.0.0 to 1.8.18

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.047
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000