Fluid Attacks Database

Description

Mercurial vulnerable to arbitrary code execution when converting Git repos The convert extension in Mercurial before 3.8 might allow context-dependent attackers to execute arbitrary code via a crafted git repository name.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
pypi	mercurial	>=0 <3.8	3.8
debian 14	mercurial	>=0 <3.8.1-1	3.8.1-1
debian 12	mercurial	>=0 <3.8.1-1	3.8.1-1
debian 13	mercurial	>=0 <3.8.1-1	3.8.1-1
debian 11	mercurial	>=0 <3.8.1-1	3.8.1-1
rpm rhel6	mercurial	-	-
rpm rhel7	mercurial	-	-

Aliases

1. CVE-2016-31052. NVD-2016-31053. OSV-2016-31054. OSV-DEBIAN-2016-31055. GCVE-2016-31056. security.gentoo.org7. SECURITY-TRACKER-CVE-2016-3105

References

1. https://github.com/pypa/advisory-database/tree/main/vulns/mercurial/PYSEC-2016-28.yaml2. https://selenic.com/hg/rev/a56296f55a5e3. https://web.archive.org/web/20200228012056/http://www.securityfocus.com/bid/905364. https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_3.8_.2F_3.8.1_.282016-5-1.295. http://lists.opensuse.org/opensuse-updates/2016-05/msg00082.html6. http://www.debian.org/security/2016/dsa-35707. http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.533255

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.