Vulnerability Description
Dulwich before 0.18.5, when an SSH subprocess is used, allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-1000116, and CVE-2017-1000117.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Dulwich Project | Dulwich | <= 0.18.4 |
References
- https://tracker.debian.org/news/882440Issue TrackingThird Party Advisory
- https://www.dulwich.io/code/dulwich/ProductVendor Advisory
- https://www.dulwich.io/code/dulwich/commit/7116a0cbbda571f7dac863f4b1c00b6e16d6dIssue TrackingPatchVendor Advisory
- https://tracker.debian.org/news/882440Issue TrackingThird Party Advisory
- https://www.dulwich.io/code/dulwich/ProductVendor Advisory
- https://www.dulwich.io/code/dulwich/commit/7116a0cbbda571f7dac863f4b1c00b6e16d6dIssue TrackingPatchVendor Advisory
FAQ
What is CVE-2017-16228?
CVE-2017-16228 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Dulwich before 0.18.5, when an SSH subprocess is used, allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-...
How severe is CVE-2017-16228?
CVE-2017-16228 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2017-16228?
Check the references section above for vendor advisories and patch information. Affected products include: Dulwich Project Dulwich.