CVE-2017-14176

Publication date 5 September 2017

Last updated 25 August 2025

Ubuntu priority

Medium

Why this priority?

Cvss 3 Severity Score

8.8 · High

Score breakdown

Description

Bazaar through 2.7.0, when Subprocess SSH is used, allows remote attackers to execute arbitrary commands via a bzr+ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-16228, CVE-2017-1000116, and CVE-2017-1000117.

From the Ubuntu Security Team

Adam Collard discovered that Bazaar did not properly handle host names in 'bzr+ssh://' URLs. A remote attacker could use this to construct a bazaar repository URL that when accessed could run arbitrary code with the privileges of the user.

Status

Package Ubuntu Release Status
bzr 17.10 artful
Fixed 2.7.0+bzr6622-6ubuntu1
17.04 zesty
Fixed 2.7.0+bzr6619-7ubuntu0.1
16.04 LTS xenial
Fixed 2.7.0-2ubuntu3.1
14.04 LTS trusty
Fixed 2.6.0+bzr6593-1ubuntu1.6

Severity score breakdown

Parameter Value
Base score 8.8 · High
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Scope Unchanged
Confidentiality High
Integrity impact High
Availability impact High
Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Related Ubuntu Security Notices (USN)

Other references

Access our resources on patching vulnerabilities