CVE-2016-3105: Mercurial vulnerable to arbitrary code execution when converting Git repos
(updated )
The convert extension in Mercurial before 3.8 might allow context-dependent attackers to execute arbitrary code via a crafted git repository name.
References
- github.com/advisories/GHSA-49cw-434h-qc57
- github.com/pypa/advisory-database/tree/main/vulns/mercurial/PYSEC-2016-28.yaml
- nvd.nist.gov/vuln/detail/CVE-2016-3105
- security.gentoo.org/glsa/201612-19
- selenic.com/hg/rev/a56296f55a5e
- web.archive.org/web/20200228012056/http://www.securityfocus.com/bid/90536
- www.mercurial-scm.org/wiki/WhatsNew
Detect and mitigate CVE-2016-3105 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →