Skip to main content

Mercurial CVE-2016-3069

HIGH
Improper Input Validation (CWE-20)
2016-04-13 secalert@redhat.com
8.8
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Apr 13, 2016 - 16:59 cve.org
HIGH 8.8

DescriptionCVE.org

Mercurial before 3.7.3 allows remote attackers to execute arbitrary code via a crafted name when converting a Git repository.

AnalysisAI

Mercurial before 3.7.3 allows remote attackers to execute arbitrary code via a crafted name when converting a Git repository. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Technical ContextAI

This vulnerability is classified under CWE-20. Mercurial before 3.7.3 allows remote attackers to execute arbitrary code via a crafted name when converting a Git repository. Affected products include: Mercurial, Debian Debian Linux, Suse Linux Enterprise Debuginfo, Opensuse, Suse Linux Enterprise Software Development Kit. Version information: before 3.7.3.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2017-17458 CRITICAL
9.8 Dec 07

In Mercurial before 4.4.1, it is possible that a specially malformed repository can cause Git subrepositories to run arb

CVE-2014-9462 HIGH POC
7.5 Mar 31

The _validaterepo function in sshpeer in Mercurial before 3.2.4 allows remote attackers to execute arbitrary commands vi

CVE-2017-1000116 CRITICAL
9.8 Oct 05

Mercurial prior to 4.3 did not adequately sanitize hostnames passed to ssh, leading to possible shell-injection attacks.

CVE-2016-3630 HIGH
8.8 Apr 13

The binary delta decoder in Mercurial before 3.7.3 allows remote attackers to execute arbitrary code via a (1) clone, (2

CVE-2016-3068 HIGH
8.8 Apr 13

Mercurial before 3.7.3 allows remote attackers to execute arbitrary code via a crafted git ext:: URL when cloning a subr

CVE-2018-13347 CRITICAL
9.8 Jul 06

mpatch.c in Mercurial before 4.6.1 mishandles integer addition and subtraction, aka OVE-20180430-0002. Rated critical se

CVE-2018-17983 CRITICAL
9.1 Oct 04

cext/manifest.c in Mercurial before 4.7.2 has an out-of-bounds read during parsing of a malformed manifest entry. Rated

CVE-2018-1000132 CRITICAL
9.1 Mar 14

Mercurial version 4.5 and earlier contains a Incorrect Access Control (CWE-285) vulnerability in Protocol server that ca

CVE-2016-3105 HIGH
8.8 May 09

The convert extension in Mercurial before 3.8 might allow context-dependent attackers to execute arbitrary code via a cr

CVE-2017-1000115 HIGH
7.5 Oct 05

Mercurial prior to version 4.3 is vulnerable to a missing symlink check that can malicious repositories to modify files

CVE-2022-30948 HIGH
7.5 May 17

Jenkins Mercurial Plugin 2.16 and earlier allows attackers able to configure pipelines to check out some SCM repositorie

Share

CVE-2016-3069 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy