CVE-2016-3069

MEDIUM

Description

Mercurial before 3.7.3 allows remote attackers to execute arbitrary code via a crafted name when converting a Git repository.

References

http://lists.fedoraproject.org/pipermail/package-announce/2016-April/181505.html

http://lists.fedoraproject.org/pipermail/package-announce/2016-April/181542.html

http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00016.html

http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00017.html

http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00018.html

http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00043.html

http://rhn.redhat.com/errata/RHSA-2016-0706.html

http://www.debian.org/security/2016/dsa-3542

http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html

http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html

https://security.gentoo.org/glsa/201612-19

https://selenic.com/repo/hg-stable/rev/197eed39e3d5

https://selenic.com/repo/hg-stable/rev/80cac1de6aea

https://selenic.com/repo/hg-stable/rev/ae279d4a19e9

https://selenic.com/repo/hg-stable/rev/b732e7f2aba4

https://selenic.com/repo/hg-stable/rev/cdda7b96afff

https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_3.7.3_.282016-3-29.29

Details

Source: MITRE

Published: 2016-04-13

Updated: 2018-10-30

Type: CWE-20

Risk Information

CVSS v2.0

Base Score: 6.8

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Impact Score: 6.4

Exploitability Score: 8.6

Severity: MEDIUM

CVSS v3.0

Base Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Impact Score: 5.9

Exploitability Score: 2.8

Severity: HIGH

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:mercurial:mercurial:*:*:*:*:*:*:*:* versions up to 3.7.2 (inclusive)

Configuration 2

OR

cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*

cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

Configuration 3

OR

cpe:2.3:a:suse:linux_enterprise_debuginfo:11:sp4:*:*:*:*:*:*

cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*

cpe:2.3:o:suse:linux_enterprise_software_development_kit:11:sp4:*:*:*:*:*:*

cpe:2.3:o:suse:linux_enterprise_software_development_kit:12:*:*:*:*:*:*:*

cpe:2.3:o:suse:linux_enterprise_software_development_kit:12:sp1:*:*:*:*:*:*

Configuration 4

OR

cpe:2.3:o:opensuse:leap:42.1:*:*:*:*:*:*:*

Configuration 5

OR

cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:23:*:*:*:*:*:*:*

Configuration 6

OR

cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_hpc_node:7.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_hpc_node_eus:7.2:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server_aus:7.2:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server_eus:7.2:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*

Tenable Plugins

View all (16 total)

IDNameProductFamilySeverity
121646Photon OS 1.0: Mercurial PHSA-2016-0011NessusPhotonOS Local Security Checks
medium
111845Photon OS 1.0: Apache / Mercurial PHSA-2016-0011 (deprecated)NessusPhotonOS Local Security Checks
medium
99782EulerOS 2.0 SP1 : mercurial (EulerOS-SA-2016-1019)NessusHuawei Local Security Checks
medium
95605GLSA-201612-19 : Mercurial: Multiple vulnerabilitiesNessusGentoo Local Security Checks
high
90866Amazon Linux AMI : mercurial (ALAS-2016-697)NessusAmazon Linux Local Security Checks
medium
90854Scientific Linux Security Update : mercurial on SL7.x x86_64 (20160502)NessusScientific Linux Local Security Checks
medium
90851RHEL 7 : mercurial (RHSA-2016:0706)NessusRed Hat Local Security Checks
medium
90850Oracle Linux 7 : mercurial (ELSA-2016-0706)NessusOracle Linux Local Security Checks
medium
90837CentOS 7 : mercurial (CESA-2016:0706)NessusCentOS Local Security Checks
medium
90559openSUSE Security Update : mercurial (openSUSE-2016-467)NessusSuSE Local Security Checks
medium
90485openSUSE Security Update : mercurial (openSUSE-2016-452)NessusSuSE Local Security Checks
medium
90416Fedora 23 : mercurial-3.5.2-1.fc23 (2016-b7f1f8e3bf)NessusFedora Local Security Checks
medium
90414Fedora 22 : mercurial-3.5.2-1.fc22 (2016-79604dde9f)NessusFedora Local Security Checks
medium
90370Debian DSA-3542-1 : mercurial - security updateNessusDebian Local Security Checks
medium
90319Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : mercurial (SSA:2016-092-01)NessusSlackware Local Security Checks
medium
90291FreeBSD : mercurial -- multiple vulnerabilities (e1085b15-f609-11e5-a230-0014a5a57822)NessusFreeBSD Local Security Checks
medium