Published: 13 April 2016
Mercurial before 3.7.3 allows remote attackers to execute arbitrary code via a crafted name when converting a Git repository.
From the Ubuntu security team
It was discovered that Mercurial incorrectly handled Git repository name. An attacker could possibly use this issue to execute arbitrary code.
CVSS 3 base score: 8.8
- https://selenic.com/repo/hg-stable/rev/197eed39e3d5 (1/5)
- https://selenic.com/repo/hg-stable/rev/cdda7b96afff (2/5)
- https://selenic.com/repo/hg-stable/rev/b732e7f2aba4 (3/5)
- https://selenic.com/repo/hg-stable/rev/80cac1de6aea (4/5)
- https://selenic.com/repo/hg-stable/rev/ae279d4a19e9 (5/5)