CVE-2008-4297 — Mercurial vulnerability

CWE-26410 documents7 sources

Severity

5.0MEDIUMNVD

EPSS

0.8%

top 26.70%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mercurial Debian Mercurial

Timeline

PublishedSep 27

Latest updateMay 2

Description

Mercurial before 1.0.2 does not enforce the allowpull permission setting for a pull operation from hgweb, which allows remote attackers to read arbitrary files from a repository via an "hg pull" request.

CVSS vector

AV:N/AC:L/C:P/I:N/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages3 packages

▶debiandebian/mercurial< mercurial 1.0.1-5.1 (bookworm)

▶Debianmercurial/mercurial< 1.0.1-5.1+3

▶NVDmercurial/mercurial1.0.1

🔴Vulnerability Details

GHSA

GHSA-rw83-rp96-92cm: Mercurial before 1↗2022-05-02

▶

OSV

CVE-2008-4297: Mercurial before 1↗2008-09-27

▶

CVEList

CVE-2008-4297: Mercurial before 1↗2008-09-27

▶

📋Vendor Advisories

Red Hat

mercurial: missing allowpull permission check in hgweb↗2008-08-13

▶

Debian

CVE-2008-4297: mercurial - Mercurial before 1.0.2 does not enforce the allowpull permission setting for a p...↗2008

▶

💬Community

Bugzilla

CVE-2008-4297 mercurial [epel-5]↗2008-09-29

▶

Bugzilla

CVE-2008-2942 CVE-2008-4297 mercurial: multiple security issues [Fedora 8]↗2008-09-29

▶

Bugzilla

CVE-2008-4297 mercurial: missing allowpull permission check in hgweb↗2008-09-29

▶

Bugzilla

CVE-2008-4297 mercurial [epel-4]↗2008-09-29

▶