What is GHSA-jjxg-hpm7-g95f?

GHSA-jjxg-hpm7-g95f is a security advisory published by GitHub Security Advisories with High severity. Bazaar allows remote attackers to execute arbitrary commands via a bzr+ssh URL with initial dash character in hostname

Which CVE IDs does GHSA-jjxg-hpm7-g95f cover?

GHSA-jjxg-hpm7-g95f covers the following CVE IDs: CVE-2017-14176. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-jjxg-hpm7-g95f?

GHSA-jjxg-hpm7-g95f has a CVSS v3 base score of 8.8, published by GitHub Security Advisories.

Which products are affected by GHSA-jjxg-hpm7-g95f?

GHSA-jjxg-hpm7-g95f affects 1 product, including: pip/bzr:\u003c= 2.7.0.

GHSA-jjxg-hpm7-g95fHighCVSS 8.8

Bazaar allows remote attackers to execute arbitrary commands via a bzr+ssh URL with initial dash character in hostname

Vendor

GitHub Security Advisories

Published

May 13, 2022

Last Modified

May 29, 2026

🔗 CVE IDs covered (1)

CVE-2017-14176 →

📋 Description

Bazaar through 2.7.0, when Subprocess SSH is used, allows remote attackers to execute arbitrary commands via a bzr+ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-16228, CVE-2017-1000116, and CVE-2017-1000117.

🎯 Affected products1

pip/bzr:<= 2.7.0

🔗 References (10)

https://nvd.nist.gov/vuln/detail/CVE-2017-14176
https://bugs.debian.org/874429
https://bugs.launchpad.net/bzr/+bug/1710979
https://bugzilla.redhat.com/show_bug.cgi?id=1486685
https://bugzilla.suse.com/show_bug.cgi?id=1058214
https://www.debian.org/security/2017/dsa-4052
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-14176.html
http://www.ubuntu.com/usn/usn-3411-1
https://github.com/pypa/advisory-database/tree/main/vulns/bzr/PYSEC-2017-149.yaml
https://github.com/advisories/GHSA-jjxg-hpm7-g95f