{"id":"CVE-2017-16228","details":"Dulwich before 0.18.5, when an SSH subprocess is used, allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-1000116, and CVE-2017-1000117.","aliases":["GHSA-cwwh-4382-6fwr","PYSEC-2017-12"],"modified":"2026-04-16T06:16:13.760640435Z","published":"2017-10-29T20:29:00.237Z","related":["SUSE-SU-2018:2047-1","openSUSE-SU-2024:11228-1","openSUSE-SU-2024:14139-1"],"references":[{"type":"ADVISORY","url":"https://www.dulwich.io/code/dulwich/"},{"type":"REPORT","url":"https://tracker.debian.org/news/882440"},{"type":"FIX","url":"https://www.dulwich.io/code/dulwich/commit/7116a0cbbda571f7dac863f4b1c00b6e16d6d8d6/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/jelmer/dulwich","events":[{"introduced":"0"},{"last_affected":"7d42714e55c594d992ec60373e8943abb0837f96"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"0.18.4"}]}}],"versions":["dulwich-0.1.0","dulwich-0.1.1","dulwich-0.10.0","dulwich-0.10.1","dulwich-0.11.0","dulwich-0.11.1","dulwich-0.12.0","dulwich-0.13.0","dulwich-0.14.0","dulwich-0.14.1","dulwich-0.15.0","dulwich-0.16.0","dulwich-0.16.1","dulwich-0.16.2","dulwich-0.16.3","dulwich-0.17.0","dulwich-0.17.1","dulwich-0.17.2","dulwich-0.17.3","dulwich-0.18.0","dulwich-0.18.1","dulwich-0.18.2","dulwich-0.18.3","dulwich-0.18.4","dulwich-0.2.0","dulwich-0.2.1","dulwich-0.3.0","dulwich-0.3.1","dulwich-0.3.2","dulwich-0.3.3","dulwich-0.4.0","dulwich-0.4.1","dulwich-0.5.0","dulwich-0.6.0","dulwich-0.6.1","dulwich-0.6.2","dulwich-0.7.0","dulwich-0.7.1","dulwich-0.8.0","dulwich-0.8.1","dulwich-0.8.2","dulwich-0.8.3","dulwich-0.8.4","dulwich-0.8.5","dulwich-0.8.6","dulwich-0.8.7","dulwich-0.9.0","dulwich-0.9.1","dulwich-0.9.2","dulwich-0.9.3","dulwich-0.9.4","dulwich-0.9.5","dulwich-0.9.6","dulwich-0.9.7","dulwich-0.9.8"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-16228.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}