CVE-2007-6350

scponly 4.6 and earlier allows remote authenticated users to bypass intended restrictions and execute code by invoking dangerous subcommands including (1) unison, (2) rsync, (3) svn, and (4) svnserve, as originally demonstrated by creating a Subversion (SVN) repository with malicious hooks, then using svn to trigger execution of those hooks.

Published: 2007-12-14 Last update: 2026-04-23 Assigner: [email protected] Source: [email protected]
NVD Status:ModifiedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2007-6350 is rated High Risk (66.1/100): CVSS High severity, with medium exploitation likelihood (EPSS 4.36%). High exploitation likelihood—assess exposure and prioritize remediation.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2007-6350

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-06-15 3.76% 4.36% +0.60%
2 2026-03-02 1.29% 3.76% +2.47%
3 2026-02-28 1.29%

Full EPSS history (16 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2007-6350

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
8.5 2.0 HIGH
AV:N/AC:M/Au:S/C:C/I:C/A:C Click to expand
Access vector (AV:N)
Can be exploited remotely over network reachability.
Access complexity (AC:M)
Exploitation needs some favorable conditions, but not exceptional ones.
Authentication (AU:S)
A single authentication is required.
Confidentiality impact (C:C)
Complete confidentiality impact.
Integrity impact (I:C)
Complete integrity impact.
Availability impact (A:C)
Complete availability impact.
 6.8 10.0 [email protected]

Weakness enumeration for CVE-2007-6350

OS Trackers for CVE-2007-6350

vendor priority summary link
gentoo normal CVE-2007-6350: 1 GLSA(s) (200802-06), 1 atom(s) (net-misc/scponly); latest impact normal. https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2007-6350
redhat https://access.redhat.com/security/cve/CVE-2007-6350
ubuntu medium CVE-2007-6350 medium priority: Ubuntu including 1 source packages (scponly), 8 status rows across 8 suites (dapper, edgy, feisty, gutsy, hardy, intrepid, jaunty, upstream): released 6, ignored 2. https://ubuntu.com/security/CVE-2007-6350

Affected software / configurations for CVE-2007-6350

Vendor Product Version Raw CPE
scponly scponly <= 4.6 cpe:2.3:a:scponly:scponly:*:*:*:*:*:*:*:*
scponly scponly 4.2 cpe:2.3:a:scponly:scponly:4.2:*:*:*:*:*:*:*
scponly scponly 4.3 cpe:2.3:a:scponly:scponly:4.3:*:*:*:*:*:*:*
scponly scponly 4.4 cpe:2.3:a:scponly:scponly:4.4:*:*:*:*:*:*:*
scponly scponly 4.5 cpe:2.3:a:scponly:scponly:4.5:*:*:*:*:*:*:*

References for CVE-2007-6350

URL Tags
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=437148
http://bugs.gentoo.org/show_bug.cgi?id=201726
http://osvdb.org/44137
http://scponly.cvs.sourceforge.net/scponly/scponly/SECURITY?view=markup
http://secunia.com/advisories/28123 Vendor Advisory
http://secunia.com/advisories/28538 Vendor Advisory
http://secunia.com/advisories/28944 Vendor Advisory
http://secunia.com/advisories/28981 Vendor Advisory
http://security.gentoo.org/glsa/glsa-200802-06.xml
http://www.debian.org/security/2008/dsa-1473
http://www.securityfocus.com/bid/26900
http://www.securitytracker.com/id?1019103
http://www.vupen.com/english/advisories/2007/4243 Vendor Advisory
https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00546.html
https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00595.html
cvelogic Threat Intelligence