Known Vulnerabilities for products from Mercurial
Listed below are 19 of the newest known vulnerabilities associated with the vendor "Mercurial".
These CVEs are retrieved based on exact matches on listed vendor information (CPE data) as well as a keyword search to ensure the newest vulnerabilities with no officially listed vendor information are still displayed.
Data on known vulnerable products is also displayed based on information from known CPEs, each product links to its respective vulnerability page.
Known Vulnerabilities
| CVE | Shortened Description | Severity | Publish Date | Last Modified |
|---|---|---|---|---|
| CVE-2019-3902 | A flaw was found in Mercurial before 4.9. It was possible to use symlinks and subrepositories to defeat Mercurial's path-chec... | 5.9 - MEDIUM | 2019-04-22 | 2020-07-31 |
| CVE-2018-1000132 | Mercurial version 4.5 and earlier contains a Incorrect Access Control (CWE-285) vulnerability in Protocol server that can res... | 9.1 - CRITICAL | 2018-03-14 | 2020-07-31 |
| CVE-2018-17983 | cext/manifest.c in Mercurial before 4.7.2 has an out-of-bounds read during parsing of a malformed manifest entry. | 9.1 - CRITICAL | 2018-10-04 | 2018-12-13 |
| CVE-2018-13348 | The mpatch_decode function in mpatch.c in Mercurial before 4.6.1 mishandles certain situations where there should be at least... | 7.5 - HIGH | 2018-07-06 | 2020-07-31 |
| CVE-2018-13347 | mpatch.c in Mercurial before 4.6.1 mishandles integer addition and subtraction, aka OVE-20180430-0002. | 9.8 - CRITICAL | 2018-07-06 | 2020-07-31 |
| CVE-2018-13346 | The mpatch_apply function in mpatch.c in Mercurial before 4.6.1 incorrectly proceeds in cases where the fragment start is pas... | 7.5 - HIGH | 2018-07-06 | 2020-07-31 |
| CVE-2017-1000116 | Mercurial prior to 4.3 did not adequately sanitize hostnames passed to ssh, leading to possible shell-injection attacks. | 9.8 - CRITICAL | 2017-10-05 | 2019-10-03 |
| CVE-2017-1000115 | Mercurial prior to version 4.3 is vulnerable to a missing symlink check that can malicious repositories to modify files outsi... | 7.5 - HIGH | 2017-10-05 | 2019-05-10 |
| CVE-2017-17458 | In Mercurial before 4.4.1, it is possible that a specially malformed repository can cause Git subrepositories to run arbitrar... | 9.8 - CRITICAL | 2017-12-07 | 2020-07-31 |
| CVE-2017-9462 | In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and consequent... | 8.8 - HIGH | 2017-06-06 | 2020-02-05 |
| CVE-2016-3630 | The binary delta decoder in Mercurial before 3.7.3 allows remote attackers to execute arbitrary code via a (1) clone, (2) pus... | 8.8 - HIGH | 2016-04-13 | 2023-06-21 |
| CVE-2016-3105 | The convert extension in Mercurial before 3.8 might allow context-dependent attackers to execute arbitrary code via a crafted... | 8.8 - HIGH | 2016-05-09 | 2017-07-01 |
| CVE-2016-3069 | Mercurial before 3.7.3 allows remote attackers to execute arbitrary code via a crafted name when converting a Git repository. | 8.8 - HIGH | 2016-04-13 | 2018-10-30 |
| CVE-2016-3068 | Mercurial before 3.7.3 allows remote attackers to execute arbitrary code via a crafted git ext:: URL when cloning a subreposi... | 8.8 - HIGH | 2016-04-13 | 2018-10-30 |
| CVE-2014-9462 | The _validaterepo function in sshpeer in Mercurial before 3.2.4 allows remote attackers to execute arbitrary commands via a c... | 7.5 - HIGH | 2015-03-31 | 2018-10-30 |
| CVE-2014-9390 | Git before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 on Windows and OS X; M... | 9.8 - CRITICAL | 2020-02-12 | 2021-05-17 |
| CVE-2010-4237 | Mercurial before 1.6.4 fails to verify the Common Name field of SSL certificates which allows remote attackers who acquire a ... | 5.9 - MEDIUM | 2019-10-29 | 2019-10-31 |
| CVE-2008-4297 | Mercurial before 1.0.2 does not enforce the allowpull permission setting for a pull operation from hgweb, which allows remote... | 5 - MEDIUM | 2008-09-27 | 2018-10-11 |
| CVE-2008-2942 | Directory traversal vulnerability in patch.py in Mercurial 1.0.1 allows user-assisted attackers to modify arbitrary files via... | 6.8 - MEDIUM | 2008-06-30 | 2018-10-11 |
Known software with vulnerabilities from Mercurial
| Type | Vendor | Product | Version |
|---|---|---|---|
| Application | Mercurial | Mercurial | 1.6.0 |