GHSA-cwwh-4382-6fwr

Source

https://github.com/advisories/GHSA-cwwh-4382-6fwr

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-cwwh-4382-6fwr/GHSA-cwwh-4382-6fwr.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-cwwh-4382-6fwr

Aliases

Published

2022-05-13T01:44:04Z

Modified

2024-11-30T05:35:23.389592Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

Dulwich RCE Vulnerability

Details

Dulwich before 0.18.5, when an SSH subprocess is used, allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-1000116, and CVE-2017-1000117.

Database specific

{
    "nvd_published_at": "2017-10-29T20:29:00Z",
    "cwe_ids": [],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-26T18:23:19Z"
}

References

Affected packages

PyPI / dulwich

Package

Name: dulwich; View open source insights on deps.dev
Purl: pkg:pypi/dulwich

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.18.5

Affected versions

0.*

0.0.1

0.1.0

0.1.1

0.2.1

0.3.0

0.3.1

0.3.2

0.3.3

0.4.0

0.4.1

0.5.0

0.6.0

0.6.1

0.6.2

0.7.0

0.7.1

0.8.0

0.8.1

0.8.2

0.8.3

0.8.4

0.8.5

0.8.6

0.8.7

0.9.0

0.9.1

0.9.2

0.9.3

0.9.4

0.9.5

0.9.6

0.9.7

0.9.8

0.9.9

0.10.0

0.10.1a

0.11.0

0.11.1

0.11.2

0.12.0

0.13.0

0.14.0

0.14.1

0.15.0

0.16.0

0.16.1

0.16.2

0.16.3

0.17.1

0.17.2

0.17.3

0.18.0

0.18.1

0.18.2

0.18.3

0.18.4