Fluid Attacks Database

Description

Mercurial arbitrary code execution via a crafted git ext:: URL Mercurial before 3.7.3 allows remote attackers to execute arbitrary code via a crafted git ext:: URL when cloning a subrepository.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
pypi	mercurial	>=0 <3.7.3	3.7.3
debian 14	mercurial	>=0 <3.7.3-1	3.7.3-1
debian 11	mercurial	>=0 <3.7.3-1	3.7.3-1
debian 12	mercurial	>=0 <3.7.3-1	3.7.3-1
debian 13	mercurial	>=0 <3.7.3-1	3.7.3-1
rpm rhel7	mercurial	<0:2.6.2-6.el7_2	0:2.6.2-6.el7_2

Aliases

1. CVE-2016-30682. NVD-2016-30683. OSV-2016-30684. OSV-DEBIAN-2016-30685. GCVE-2016-30686. security.gentoo.org7. SECURITY-TRACKER-CVE-2016-3068

References

1. https://github.com/pypa/advisory-database/tree/main/vulns/mercurial/PYSEC-2016-26.yaml2. https://selenic.com/repo/hg-stable/rev/34d43cb85de83. https://web.archive.org/web/20200228003737/http://www.securityfocus.com/bid/857334. https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_3.7.3_.282016-3-29.295. http://lists.fedoraproject.org/pipermail/package-announce/2016-April/181505.html6. http://lists.fedoraproject.org/pipermail/package-announce/2016-April/181542.html7. http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00016.html8. http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00017.html9. http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00018.html10. http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00043.html11. http://rhn.redhat.com/errata/RHSA-2016-0706.html12. http://www.debian.org/security/2016/dsa-354213. http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html14. http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.