CVE-2018-1000132

Description

Mercurial version 4.5 and earlier contains a Incorrect Access Control (CWE-285) vulnerability in Protocol server that can result in Unauthorized data access. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fixed in 4.5.1.

Related CPE's

a mercurial mercurial ********

o debian debian_linux 8.0 *******

o debian debian_linux 7.0 *******

References

https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.5.1_.2F_4.5.2_.282018-03-06.29

Release NotesVendor Advisory

[debian-lts-announce] 20180330 [SECURITY] [DLA 1331-1] mercurial security update

Mailing ListThird Party Advisory

[debian-lts-announce] 20180705 [SECURITY] [DLA 1414-1] mercurial security update

Mailing ListThird Party Advisory

RHSA-2019:2276

[debian-lts-announce] 20200731 [SECURITY] [DLA 2293-1] mercurial security update

CvssV3 impact

BaseSeverity	CRITICAL
ConfidentialityImpact	HIGH
AttackComplexity	LOW
Scope	UNCHANGED
AttackVector	NETWORK
AvailabilityImpact	NONE
IntegrityImpact	HIGH
PrivilegesRequired	NONE
BaseScore	9.1
VectorString	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Version	3.0
UserInteraction	NONE

CvssV2 impact

Version	2.0
VectorString	AV:N/AC:L/Au:N/C:P/I:P/A:N
AccessVector	NETWORK
AccessComplexity	LOW
Authentication	NONE
ConfidentialityImpact	PARTIAL
IntegrityImpact	PARTIAL
AvailabilityImpact	NONE
BaseScore	6.400000095367432

Created by Yello

About Severity.io