CVE-2016-3105 — Improper Access Control in Mercurial

CWE-284 — Improper Access Control CWE-77 — Command Injection9 documents7 sources

Severity

8.8HIGHNVD

EPSS

1.2%

top 21.24%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mercurial Debian Mercurial Debian Linux

Timeline

PublishedMay 9

Latest updateMay 17

Description

The convert extension in Mercurial before 3.8 might allow context-dependent attackers to execute arbitrary code via a crafted git repository name.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages4 packages

▶debiandebian/mercurial< mercurial 3.8.1-1 (bookworm)

▶PyPImercurial/mercurial< 3.8

▶Debianmercurial/mercurial< 3.8.1-1+3

▶NVDmercurial/mercurial3.7.3

Also affects: Debian Linux 8.0

🔴Vulnerability Details

GHSA

Mercurial vulnerable to arbitrary code execution when converting Git repos↗2022-05-17

▶

OSV

Mercurial vulnerable to arbitrary code execution when converting Git repos↗2022-05-17

▶

CVEList

CVE-2016-3105: The convert extension in Mercurial before 3↗2016-05-09

▶

OSV

CVE-2016-3105: The convert extension in Mercurial before 3↗2016-05-09

▶

📋Vendor Advisories

Red Hat

mercurial: arbitrary code execution when converting git repos↗2016-04-06

▶

Debian

CVE-2016-3105: mercurial - The convert extension in Mercurial before 3.8 might allow context-dependent atta...↗2016

▶

💬Community

Bugzilla

CVE-2016-3105 mercurial: arbitrary code execution when converting git repos↗2016-05-04

▶

Bugzilla

CVE-2016-3105 mercurial: arbitrary code execution when converting git repos [fedora-all]↗2016-05-04

▶