CVE-2016-3068

Impact:
Important
Public Date:
2016-03-29
CWE:
CWE-77
Bugzilla:
1319768: CVE-2016-3068 mercurial: command injection via git subrepository urls
It was discovered that Mercurial failed to properly check Git sub-repository URLs. A Mercurial repository that includes a Git sub-repository with a specially crafted URL could cause Mercurial to execute arbitrary code.

Find out more about CVE-2016-3068 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v2 metrics

Base Score 6.8
Base Metrics AV:N/AC:M/Au:N/C:P/I:P/A:P
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact Partial
Integrity Impact Partial
Availability Impact Partial

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat Security Errata

Platform Errata Release Date
Red Hat Enterprise Linux 7 (mercurial) RHSA-2016:0706 2016-05-02

Affected Packages State

Platform Package State
Red Hat Enterprise Linux 6 mercurial Not affected

Acknowledgements

Red Hat would like to thank Blake Burkhart for reporting this issue.

External References

Last Modified