製品・ソフトウェアに関する情報

JVN脆弱性詳細

Mercurial における任意のコードを実行される脆弱性

Title	Mercurial における任意のコードを実行される脆弱性
Summary	Mercurial には、任意のコードを実行される脆弱性が存在します。
Possible impacts	第三者により、サブリポジトリをクローンする際の巧妙に細工された git ext:: URL を介して、任意のコードを実行される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	March 29, 2016, midnight
Registration Date	April 19, 2016, 5:03 p.m.
Last Update	Nov. 9, 2016, 5:26 p.m.

CVSS3.0 : 重要
Score	8.8
Vector	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS2.0 : 警告
Score	6.8
Vector	AV:N/AC:M/Au:N/C:P/I:P/A:P

Affected System

レッドハット

Red Hat Enterprise Linux Desktop

Red Hat Enterprise Linux HPC Node

Red Hat Enterprise Linux HPC Node EUS

Red Hat Enterprise Linux Server

Red Hat Enterprise Linux Server AUS

Red Hat Enterprise Linux Server EUS

Red Hat Enterprise Linux Workstation

Debian

Debian GNU/Linux 7.0

Debian GNU/Linux 8.0

Fedora Project

Fedora 22

Fedora 23

SUSE

SUSE Linux Enterprise Debuginfo 11-SP4

SUSE Linux Enterprise Software Development Kit 11-SP4

SUSE Linux Enterprise Software Development Kit 12

SUSE Linux Enterprise Software Development Kit 12-SP1

openSUSE project

openSUSE 13.2

openSUSE Leap

Mercurial

Mercurial 3.7.3 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2016-3068	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3068
National Vulnerability Database (NVD)
2	CVE-2016-3068	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3068

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-20	https://jvndb.jvn.jp/ja/cwe/CWE-20.html

ベンダー情報

No	Name	URL
Debian Security Advisory
1	DSA-3542	https://www.debian.org/security/2016/dsa-3542
Fedora Update Notification
2	FEDORA-2016-79604dde9f	https://lists.fedoraproject.org/pipermail/package-announce/2016-April/181505.html
3	FEDORA-2016-b7f1f8e3bf	https://lists.fedoraproject.org/pipermail/package-announce/2016-April/181542.html
Mercurial
4	changeset 28013:34d43cb85de8	https://selenic.com/repo/hg-stable/rev/34d43cb85de8
5	Mercurial 3.7.3 (2016-3-29)	https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_3.7.3_.282016-3-29.29
opensuse-security-announce
6	openSUSE-SU-2016:1016	http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00018.html
7	openSUSE-SU-2016:1073	http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00043.html
8	SUSE-SU-2016:1010	http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00016.html
9	SUSE-SU-2016:1011	http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00017.html
Oracle Critical Patch Update
10	Oracle Linux Bulletin - April 2016	http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html
11	Oracle Solaris Third Party Bulletin - April 2016	http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
Red Hat Security Advisory
12	RHSA-2016:0706	http://rhn.redhat.com/errata/RHSA-2016-0706.html

Change Log

No	Changed Details	Date of change
0	[2016年04月19日] 掲載 [2016年11月09日] 影響を受けるシステム：ベンダ情報の追加に伴い内容を更新ベンダ情報：openSUSE project (openSUSE-SU-2016:1073) を追加ベンダ情報：オラクル (Oracle Linux Bulletin - April 2016) を追加ベンダ情報：オラクル (Oracle Solaris Third Party Bulletin - April 2016) を追加ベンダ情報：レッドハット (RHSA-2016:0706) を追加	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2016-3068

Summary	Mercurial before 3.7.3 allows remote attackers to execute arbitrary code via a crafted git ext:: URL when cloning a subrepository.
Publication Date	April 14, 2016, 1:59 a.m.
Registration Date	Jan. 26, 2021, 2:10 p.m.
Last Update	Nov. 21, 2024, 11:49 a.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:o:debian:debian_linux:8.0:::::::*
cpe:2.3:o:debian:debian_linux:7.0:::::::*

Configuration2		or higher	or less	more than	less than
cpe:2.3:a:mercurial:mercurial::::::::			3.7.2

Configuration3	or higher	or less	more than	less than
cpe:2.3:o:fedoraproject:fedora:22:::::::*
cpe:2.3:o:fedoraproject:fedora:23:::::::*

Configuration4	or higher	or less	more than	less than
cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.2:::::::*
cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_server:7.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_hpc_node:7.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_server_eus:7.2:::::::*
cpe:2.3:o:redhat:enterprise_linux_hpc_node_eus:7.2:::::::*

Configuration5	or higher	or less	more than	less than
cpe:2.3:o:suse:linux_enterprise_software_development_kit:12:sp1::::::
cpe:2.3:o:suse:linux_enterprise_software_development_kit:12:::::::*
cpe:2.3:o:suse:linux_enterprise_software_development_kit:11:sp4::::::
cpe:2.3:a:suse:linux_enterprise_debuginfo:11:sp4::::::
cpe:2.3:o:opensuse:opensuse:13.2:::::::*

Configuration6		or higher	or less	more than	less than
cpe:2.3:o:opensuse:leap:42.1:::::::*

Related information, measures and tools

No	URL	タグ
1	http://lists.fedoraproject.org/pipermail/package-announce/2016-April/181505.html	Third Party Advisory
2	http://lists.fedoraproject.org/pipermail/package-announce/2016-April/181505.html	Third Party Advisory
3	http://lists.fedoraproject.org/pipermail/package-announce/2016-April/181542.html	Third Party Advisory
4	http://lists.fedoraproject.org/pipermail/package-announce/2016-April/181542.html	Third Party Advisory
5	http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00016.html	Third Party Advisory
6	http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00016.html	Third Party Advisory
7	http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00017.html	Third Party Advisory
8	http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00017.html	Third Party Advisory
9	http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00018.html	Third Party Advisory
10	http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00018.html	Third Party Advisory
11	http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00043.html	Third Party Advisory
12	http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00043.html	Third Party Advisory
13	http://rhn.redhat.com/errata/RHSA-2016-0706.html	Third Party Advisory
14	http://rhn.redhat.com/errata/RHSA-2016-0706.html	Third Party Advisory
15	http://www.debian.org/security/2016/dsa-3542	Third Party Advisory
16	http://www.debian.org/security/2016/dsa-3542	Third Party Advisory
17	http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
18	http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
19	http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html
20	http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html
21	http://www.securityfocus.com/bid/85733
22	http://www.securityfocus.com/bid/85733
23	https://security.gentoo.org/glsa/201612-19
24	https://security.gentoo.org/glsa/201612-19
25	https://selenic.com/repo/hg-stable/rev/34d43cb85de8	Issue Tracking Patch
26	https://selenic.com/repo/hg-stable/rev/34d43cb85de8	Issue Tracking Patch
27	https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_3.7.3_.282016-3-29.29	Vendor Advisory
28	https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_3.7.3_.282016-3-29.29	Vendor Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-20	不適切な入力確認	https://cwe.mitre.org/data/definitions/20.html

Configuration4	or higher	or less	more than	less than
cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.2:::::::*
cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_server:7.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_hpc_node:7.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_server_eus:7.2:::::::*
cpe:2.3:o:redhat:enterprise_linux_hpc_node_eus:7.2:::::::*