Published: 13/04/2016 Updated: 30/10/2018

CVSS v2 Base Score: 6.8 | Impact Score: 6.4 | Exploitability Score: 8.6

CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8

VMScore: 605

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Mercurial prior to 3.7.3 allows remote malicious users to execute arbitrary code via a crafted name when converting a Git repository.

Vulnerable Product	Search on Vulmon	Subscribe to Product
mercurial mercurial
debian debian linux 8.0
debian debian linux 7.0
opensuse opensuse 13.2
suse linux enterprise debuginfo 11
suse linux enterprise software development kit 11
suse linux enterprise software development kit 12
opensuse leap 42.1
fedoraproject fedora 23
fedoraproject fedora 22
redhat enterprise linux server eus 7.2
redhat enterprise linux hpc node eus 7.2
redhat enterprise linux desktop 7.0
redhat enterprise linux hpc node 7.0
redhat enterprise linux server 7.0
redhat enterprise linux workstation 7.0
redhat enterprise linux server aus 7.2

Debian Bug report logs - #819504 mercurial: CVE-2016-3068 CVE-2016-3069 CVE-2016-3630 Package: src:mercurial; Maintainer for src:mercurial is Python Applications Packaging Team <python-apps-team@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Tue, 29 Mar 2016 19:36:02 UTC Severit ...

Several vulnerabilities have been discovered in Mercurial, a distributed version control system The Common Vulnerabilities and Exposures project identifies the following issues: CVE-2016-3068 Blake Burkhart discovered that Mercurial allows URLs for Git subrepositories that could result in arbitrary code execution on clone CVE-2016-30 ...

It was discovered that Mercurial failed to properly check Git sub-repository URLs A Mercurial repository that includes a Git sub-repository with a specially crafted URL could cause Mercurial to execute arbitrary code (CVE-2016-3068) The binary delta decoder in Mercurial before 373 allows remote attackers to execute arbitrary code via a (1) clon ...

It was discovered that the Mercurial convert extension failed to sanitize special characters in Git repository names A Git repository with a specially crafted name could cause Mercurial to execute arbitrary code when the Git repository was converted to a Mercurial repository ...

CWE-20 http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00018.html https://selenic.com/repo/hg-stable/rev/197eed39e3d5 http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00017.html https://selenic.com/repo/hg-stable/rev/ae279d4a19e9 https://selenic.com/repo/hg-stable/rev/b732e7f2aba4 http://lists.fedoraproject.org/pipermail/package-announce/2016-April/181505.html https://selenic.com/repo/hg-stable/rev/cdda7b96afff https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_3.7.3_.282016-3-29.29 http://lists.fedoraproject.org/pipermail/package-announce/2016-April/181542.html http://www.debian.org/security/2016/dsa-3542 https://selenic.com/repo/hg-stable/rev/80cac1de6aea http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00016.html http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00043.html http://rhn.redhat.com/errata/RHSA-2016-0706.html http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html https://security.gentoo.org/glsa/201612-19 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=819504 https://nvd.nist.gov https://www.debian.org/security/./dsa-3542

CVE-2016-3069

Vulnerability Summary

Vendor Advisories

References

Vulmon Search

About

Products

Connect