CVE-2016-3068

CWE-20 — Improper Input Validation CWE-77 — Command Injection10 documents7 sources

Severity

8.8HIGH

EPSS

5.0%

top 10.29%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mercurial Mercurial Debian Debian Linux Fedoraproject Fedora +11 more

Timeline

PublishedApr 13

Latest updateMay 14

Description

Mercurial before 3.7.3 allows remote attackers to execute arbitrary code via a crafted git ext:: URL when cloning a subrepository.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages11 packages

▶PyPImercurial< 3.7.3

▶Debianmercurial< 3.7.3-1+3

▶NVDmercurial/mercurial3.7.2

▶NVDopensuse/leap42.1

▶NVDopensuse/opensuse13.2

Also affects: Debian Linux 7.0, 8.0, Fedora 22, 23, Enterprise Linux 7.2

Patches

Patch: selenic.com ↗Patch: selenic.com ↗

🔴Vulnerability Details

GHSA

Mercurial arbitrary code execution via a crafted git ext:: URL↗2022-05-14

▶

OSV

Mercurial arbitrary code execution via a crafted git ext:: URL↗2022-05-14

▶

OSV

CVE-2016-3068: Mercurial before 3↗2016-04-13

▶

CVEList

CVE-2016-3068: Mercurial before 3↗2016-04-13

▶

📋Vendor Advisories

Red Hat

mercurial: command injection via git subrepository urls↗2016-03-29

▶

Debian

CVE-2016-3068: mercurial - Mercurial before 3.7.3 allows remote attackers to execute arbitrary code via a c...↗2016

▶

💬Community

Bugzilla

CVE-2016-3068 mercurial: Git ext:: URLs specified in Mercurial subrepositories allows RCE [fedora-all]↗2016-04-04

▶

Bugzilla

CVE-2016-3630 CVE-2016-3068 CVE-2016-3069 mercurial: various flaws [fedora-all]↗2016-03-30

▶

Bugzilla

CVE-2016-3068 mercurial: command injection via git subrepository urls↗2016-03-21

▶