CVE-2019-3902

Description

A flaw was found in Mercurial before 4.9. It was possible to use symlinks and subrepositories to defeat Mercurial's path-checking logic and write files outside a repository.

Related CPE's

a mercurial mercurial ********

o redhat enterprise_linux 7.0 *******

o debian debian_linux 8.0 *******

References

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3902

Issue TrackingVendor Advisory

[debian-lts-announce] 20190425 [SECURITY] [DLA 1764-1] mercurial security update

Third Party Advisory

https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.9_.282019-02-01.29

Third Party Advisory

USN-4086-1

[debian-lts-announce] 20200731 [SECURITY] [DLA 2293-1] mercurial security update

CvssV3 impact

BaseSeverity	MEDIUM
ConfidentialityImpact	NONE
AttackComplexity	HIGH
Scope	UNCHANGED
AttackVector	NETWORK
AvailabilityImpact	NONE
IntegrityImpact	HIGH
PrivilegesRequired	NONE
BaseScore	5.9
VectorString	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Version	3.0
UserInteraction	NONE

CvssV2 impact

Version	2.0
VectorString	AV:N/AC:M/Au:N/C:N/I:P/A:P
AccessVector	NETWORK
AccessComplexity	MEDIUM
Authentication	NONE
ConfidentialityImpact	NONE
IntegrityImpact	PARTIAL
AvailabilityImpact	PARTIAL
BaseScore	5.800000190734863

Created by Yello

About Severity.io