CVE-2010-4237 — Improper Certificate Validation in Mercurial

CWE-295 — Improper Certificate Validation8 documents6 sources

Severity

5.9MEDIUMNVD

EPSS

0.3%

top 46.00%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mercurial Debian Mercurial

Timeline

PublishedOct 29

Latest updateApr 21

Description

Mercurial before 1.6.4 fails to verify the Common Name field of SSL certificates which allows remote attackers who acquire a certificate signed by a Certificate Authority to perform a man-in-the-middle attack.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages5 packages

▶debiandebian/mercurial< mercurial 1.6.4-1 (bookworm)

▶NVDmercurial/mercurial< 1.6.4

▶PyPImercurial/mercurial< 1.6.4

▶Debianmercurial/mercurial< 1.6.4-1+3

▶CVEListV5mercurial/mercurial1.6.4

🔴Vulnerability Details

GHSA

Mercurial Improper Certificate Validation vulnerability↗2022-04-21

▶

OSV

Mercurial Improper Certificate Validation vulnerability↗2022-04-21

▶

OSV

CVE-2010-4237: Mercurial before 1↗2019-10-29

▶

📋Vendor Advisories

Red Hat

Mercurial: Doesn't verify subject Common Name↗2010-09-29

▶

Debian

CVE-2010-4237: mercurial - Mercurial before 1.6.4 fails to verify the Common Name field of SSL certificates...↗2010

▶

💬Community

Bugzilla

bzr: doesn't verify subject Common Name↗2010-12-09

▶

Bugzilla

CVE-2010-4237 Mercurial: Doesn't verify subject Common Name↗2010-10-08

▶