CVE-2016-3069
Publication date 13 April 2016
Last updated 25 August 2025
Ubuntu priority
Description
Mercurial before 3.7.3 allows remote attackers to execute arbitrary code via a crafted name when converting a Git repository.
From the Ubuntu Security Team
It was discovered that Mercurial incorrectly handled Git repository name. An attacker could possibly use this issue to execute arbitrary code.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| mercurial | ||
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty |
Fixed 2.8.2-1ubuntu1.4
|
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
8.8 · High
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | Required |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
References
Other references
- https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_3.7.3_.282016-3-29.29
- https://selenic.com/repo/hg-stable/rev/197eed39e3d5 (1/5)
- https://selenic.com/repo/hg-stable/rev/cdda7b96afff (2/5)
- https://selenic.com/repo/hg-stable/rev/b732e7f2aba4 (3/5)
- https://selenic.com/repo/hg-stable/rev/80cac1de6aea (4/5)
- https://selenic.com/repo/hg-stable/rev/ae279d4a19e9 (5/5)
- https://www.cve.org/CVERecord?id=CVE-2016-3069