CVE-2016-3105

Description

The convert extension in Mercurial before 3.8 might allow context-dependent attackers to execute arbitrary code via a crafted git repository name.

Related CPE's

o debian debian_linux 8.0 *******

a mercurial mercurial ********

References

https://selenic.com/hg/rev/a56296f55a5e

https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_3.8_.2F_3.8.1_.282016-5-1.29

Vendor Advisory

SSA:2016-123-01

openSUSE-SU-2016:1336

CvssV3 impact

BaseSeverity	HIGH
ConfidentialityImpact	HIGH
AttackComplexity	LOW
Scope	UNCHANGED
AttackVector	NETWORK
AvailabilityImpact	HIGH
IntegrityImpact	HIGH
PrivilegesRequired	NONE
BaseScore	8.8
VectorString	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Version	3.0
UserInteraction	REQUIRED

CvssV2 impact

Version	2.0
VectorString	AV:N/AC:M/Au:N/C:P/I:P/A:P
AccessVector	NETWORK
AccessComplexity	MEDIUM
Authentication	NONE
ConfidentialityImpact	PARTIAL
IntegrityImpact	PARTIAL
AvailabilityImpact	PARTIAL
BaseScore	6.800000190734863

Created by Yello

About Severity.io