Miggo Logo

CVE-2016-3105: Mercurial vulnerable to arbitrary code execution when converting Git repos

8.8

CVSS Score
3.0

Basic Information

EPSS Score
0.67129%
Published
5/17/2022
Updated
9/30/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
mercurialpip< 3.83.8

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The security patch modifies the init method of the convert_git class in hgext/convert/git.py to explicitly convert paths to absolute paths. This change addresses the core vulnerability where relative paths could be interpreted as Git URL formats (like 'ext::' protocol handlers), enabling command injection. The test cases demonstrate protection against repository names starting with 'ext::' which could execute shell commands. The vulnerable function is the entry point for git repository conversion handling.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** *onv*rt *xt*nsion in M*r*uri*l ***or* *.* mi**t *llow *ont*xt-**p*n**nt *tt**k*rs to *x**ut* *r*itr*ry *o** vi* * *r**t** *it r*pository n*m*.

Reasoning

T** s**urity p*t** mo*i*i*s t** __init__ m*t*o* o* t** *onv*rt_*it *l*ss in ***xt/*onv*rt/*it.py to *xpli*itly *onv*rt p*t*s to **solut* p*t*s. T*is ***n** ***r*ss*s t** *or* vuln*r**ility w**r* r*l*tiv* p*t*s *oul* ** int*rpr*t** *s *it URL *orm*ts
CVE-2016-3105: Mercurial Git Convert RCE Flaw | Miggo