{"id":"CVE-2014-9462","details":"The _validaterepo function in sshpeer in Mercurial before 3.2.4 allows remote attackers to execute arbitrary commands via a crafted repository name in a clone command.","aliases":["GHSA-3pmw-h7j4-rf54","PYSEC-2015-14"],"modified":"2026-04-10T03:44:50.265705Z","published":"2015-03-31T14:59:03Z","related":["MGASA-2015-0129","SUSE-SU-2015:0817-1","SUSE-SU-2015:0836-1"],"references":[{"type":"ADVISORY","url":"http://mercurial.selenic.com/wiki/WhatsNew"},{"type":"ADVISORY","url":"http://www.debian.org/security/2015/dsa-3257"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/201612-19"},{"type":"EVIDENCE","url":"http://chargen.matasano.com/chargen/2015/3/17/this-new-vulnerability-mercurial-command-injection-cve-2014-9462.html"},{"type":"WEB","url":"http://lists.opensuse.org/opensuse-updates/2015-03/msg00085.html"},{"type":"WEB","url":"http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.html"},{"type":"WEB","url":"http://www.osvdb.org/119816"}],"schema_version":"1.7.5"}