CVE-2017-17458

Name: CVE-2017-17458
Creator: NVD / NIST
Published: 2017-12-07T18:29:00.203+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

UnknownEPSS 6.33%

Last modified Jun 17, 2026

CVE-2017-17458 is a vulnerability of currently unknown severity. In Mercurial before 4.4.1, it is possible that a specially malformed repository can cause Git subrepositories to run arbitrary code in the form of a .git/hooks/post-update script checked into the repository. Typical use of Mercurial prevents construction of such repositories, but they can be created programmatically.. EPSS estimates a 6.33% chance of exploitation in the next 30 days.

Description

In Mercurial before 4.4.1, it is possible that a specially malformed repository can cause Git subrepositories to run arbitrary code in the form of a .git/hooks/post-update script checked into the repository. Typical use of Mercurial prevents construction of such repositories, but they can be created programmatically.

Metrics

EPSS Probability

6.33%

92.7th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-78

Affected Software

Vendor	Product	Versions
Mercurial	Mercurial	< 4.4.1
Debian	Debian Linux	7.0
Debian	Debian Linux	8.0

References

http://www.securityfocus.com/bid/102926Third Party Advisory, VDB Entry
https://bz.mercurial-scm.org/show_bug.cgi?id=5730Issue Tracking, Third Party Advisory
https://confluence.atlassian.com/sourcetreekb/sourcetree-security-advisory-2018-01-24-942834324.htmlThird Party Advisory
https://lists.debian.org/debian-lts-announce/2017/12/msg00027.htmlMailing List, Third Party Advisory
https://lists.debian.org/debian-lts-announce/2018/07/msg00005.htmlMailing List, Third Party Advisory
https://lists.debian.org/debian-lts-announce/2018/07/msg00041.htmlMailing List, Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/07/msg00032.html
https://www.mercurial-scm.org/pipermail/mercurial-devel/2017-November/107333.htmlVendor Advisory
https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.4.1_.282017-11-07.29Vendor Advisory
http://www.securityfocus.com/bid/102926Third Party Advisory, VDB Entry
https://bz.mercurial-scm.org/show_bug.cgi?id=5730Issue Tracking, Third Party Advisory
https://confluence.atlassian.com/sourcetreekb/sourcetree-security-advisory-2018-01-24-942834324.htmlThird Party Advisory
https://lists.debian.org/debian-lts-announce/2017/12/msg00027.htmlMailing List, Third Party Advisory
https://lists.debian.org/debian-lts-announce/2018/07/msg00005.htmlMailing List, Third Party Advisory
https://lists.debian.org/debian-lts-announce/2018/07/msg00041.htmlMailing List, Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/07/msg00032.html
https://www.mercurial-scm.org/pipermail/mercurial-devel/2017-November/107333.htmlVendor Advisory
https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.4.1_.282017-11-07.29Vendor Advisory

Timeline

Published: Dec 7, 2017
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2017-17458?

How severe is CVE-2017-17458?

Severity scoring for CVE-2017-17458 is pending analysis. The EPSS model estimates a 6.33% probability of exploitation in the next 30 days.

How do I fix CVE-2017-17458?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2017-17458?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST