Public Date:
1320155: CVE-2016-3069 mercurial: convert extension command injection via git repository names
It was discovered that the Mercurial convert extension failed to sanitize special characters in Git repository names. A Git repository with a specially crafted name could cause Mercurial to execute arbitrary code when the Git repository was converted to a Mercurial repository.

Find out more about CVE-2016-3069 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v2 metrics

Base Score 5.1
Base Metrics AV:N/AC:H/Au:N/C:P/I:P/A:P
Access Vector Network
Access Complexity High
Authentication None
Confidentiality Impact Partial
Integrity Impact Partial
Availability Impact Partial

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat Security Errata

Platform Errata Release Date
Red Hat Enterprise Linux 7 (mercurial) RHSA-2016:0706 2016-05-02

Affected Packages State

Platform Package State
Red Hat Enterprise Linux 6 mercurial Will not fix


Red Hat would like to thank Blake Burkhart for reporting this issue.

External References

Last Modified