ALAS-2017-893 ---- mercurial, emacs-mercurialID: oval:org.secpod.oval:def:1600772 | Date: (C)2017-09-21 (M)2023-04-19 |
Class: PATCH | Family: unix |
A shell command injection flaw related to the handling of quot;sshquot; URLs has been discovered in Mercurial. This can be exploited to execute shell commands with the privileges of the user running the Mercurial client, for example, when performing a quot;checkoutquot; or quot;updatequot; action on a sub-repository within a malicious repository or a legitimate repository containing a malicious commit. A vulnerability was found in the way Mercurial handles path auditing and caches the results. An attacker could abuse a repository with a series of commits mixing symlinks and regular files/directories to trick Mercurial into writing outside of a given repository
Platform: |
Amazon Linux AMI |
Product: |
mercurial |
emacs-mercurial |