Arbitrary Code Execution Affecting mercurial package, versions [,4.1.3)
Snyk CVSS
Attack Complexity
Low
Confidentiality
High
Integrity
High
Availability
High
Threat Intelligence
EPSS
3% (91st
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-MERCURIAL-42106
- published 28 May 2018
- disclosed 6 Jun 2017
- credit Unknown
How to fix?
Upgrade mercurial
to version 4.1.3 or higher.
Overview
mercurial
Fast scalable distributed SCM (revision control, version control) system
Affected versions of this package are vulnerable to Arbitrary code Execution. The hg serve --stdio
command allows remote authenticated users to launch the Python debugger, and consequently execute arbitrary code, by using --debugger
flag as a repository name.