CVE-2017-17459

{"id": "CVE-2017-17459", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 9.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "MEDIUM", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2017-12-07T18:29:00.250", "references": [{"url": "https://bugzilla.opensuse.org/show_bug.cgi?id=1071709", "tags": ["Issue Tracking"], "source": "cve@mitre.org"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BLAFCQGE7C5UMX75LESNUMKTXTURUVQM/", "source": "cve@mitre.org"}, {"url": "https://www.fossil-scm.org/xfer/doc/trunk/www/changes.wiki#v2_4", "tags": ["Release Notes", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.fossil-scm.org/xfer/info/1f63db591c77108c", "tags": ["Patch", "Vendor Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "http_transport.c in Fossil before 2.4, when the SSH sync protocol is used, allows user-assisted remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-14176, CVE-2017-16228, CVE-2017-1000116, and CVE-2017-1000117."}, {"lang": "es", "value": "http_transport.c en Fossil en versiones anteriores a la 2.4, cuando se utiliza el protocolo SSH sync, permite que atacantes remotos asistidos por un usuario ejecuten comandos arbitrarios mediante una URL ssh con un car\u00e1cter gui\u00f3n inicial en el nombre del host. Esta vulnerabilidad est\u00e1 relacionada con CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-14176, CVE-2017-16228, CVE-2017-1000116 y CVE-2017-1000117."}], "lastModified": "2023-11-07T02:41:43.167", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:fossil_scm:fossil:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CB721A45-F5C2-4BA2-9971-DACD592709FF", "versionEndExcluding": "2.4"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}