CVE-2016-3069

CWE-20 — Improper Input Validation CWE-77 — Command Injection10 documents7 sources

Severity

8.8HIGH

EPSS

2.8%

top 13.82%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mercurial Mercurial Debian Debian Linux Fedoraproject Fedora +11 more

Timeline

PublishedApr 13

Latest updateMay 14

Description

Mercurial before 3.7.3 allows remote attackers to execute arbitrary code via a crafted name when converting a Git repository.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages11 packages

▶PyPImercurial< 3.7.3

▶Debianmercurial< 3.7.3-1+3

▶NVDmercurial/mercurial3.7.2

▶NVDopensuse/leap42.1

▶NVDopensuse/opensuse13.2

Also affects: Debian Linux 7.0, 8.0, Fedora 22, 23, Enterprise Linux 7.2

Patches

Patch: selenic.com ↗Patch: selenic.com ↗Patch: selenic.com ↗

🔴Vulnerability Details

OSV

Mercurial vulnerable to arbitrary code execution via a crafted name when converting a Git repository↗2022-05-14

▶

GHSA

Mercurial vulnerable to arbitrary code execution via a crafted name when converting a Git repository↗2022-05-14

▶

OSV

CVE-2016-3069: Mercurial before 3↗2016-04-13

▶

CVEList

CVE-2016-3069: Mercurial before 3↗2016-04-13

▶

📋Vendor Advisories

Red Hat

mercurial: convert extension command injection via git repository names↗2016-03-29

▶

Debian

CVE-2016-3069: mercurial - Mercurial before 3.7.3 allows remote attackers to execute arbitrary code via a c...↗2016

▶

💬Community

Bugzilla

CVE-2016-3069 mercurial: Command execution vulnerabilities in Convert extension [fedora-all]↗2016-04-04

▶

Bugzilla

CVE-2016-3630 CVE-2016-3068 CVE-2016-3069 mercurial: various flaws [fedora-all]↗2016-03-30

▶

Bugzilla

CVE-2016-3069 mercurial: convert extension command injection via git repository names↗2016-03-22

▶