Is CVE-2017-9800 being actively exploited?

It is not currently in CISA's KEV catalog. Its EPSS exploitation probability is 19%.

What products does CVE-2017-9800 affect?

Tracked products affected include Apache Subversion. Check the version you run to see whether it is affected.

How do I fix CVE-2017-9800?

Apply the vendor fix promptly. Upgrade affected products to a fixed version.

CVE-2017-9800

Q: What is CVE-2017-9800?

CVE-2017-9800 is a critical-severity software vulnerability (Improper input validation) with a CVSS score of 9.8. A maliciously constructed svn+ssh:// URL would cause Subversion clients before 1.8.19, 1.9.x before 1.9.7, and 1.10.0.x through 1.10.0-alpha3 to run an arbitrary shell command. Such a URL could be generated by a malicious server, by a malic

CRITICAL severity · CVSS 9.8 · Improper input validation

9.8CVSS CRITICAL

Summary

A maliciously constructed svn+ssh:// URL would cause Subversion clients before 1.8.19, 1.9.x before 1.9.7, and 1.10.0.x through 1.10.0-alpha3 to run an arbitrary shell command. Such a URL could be generated by a malicious server, by a malicious user committing to a honest server (to attack another user of that server's repositories), or by a proxy server. The vulnerability affects all clients, including those that use file://, http://, and plain (untunneled) svn://.

Impact & exploitability

Attack vectorNetwork

Attack complexityLow

Privileges requiredNone

User interactionNone

Confidentiality impactHigh

Integrity impactHigh

Availability impactHigh

Exploit probability (EPSS)19%

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products we track (1)

Apache Subversion

Recommendation

Apply the vendor fix promptly. Open any affected product above for its exact safe version.

CVE-2017-9800

Summary

Impact & exploitability

Affected products we track (1)

Recommendation

Additional information