CVE-2018-1000132 — Incorrect Permission Assignment in Mercurial

CWE-732 — Incorrect Permission Assignment CWE-20 — Improper Input Validation8 documents6 sources

Severity

9.1CRITICALNVD

EPSS

0.6%

top 30.53%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mercurial Debian Mercurial Debian Linux

Timeline

PublishedMar 14

Latest updateMay 13

Description

Mercurial version 4.5 and earlier contains a Incorrect Access Control (CWE-285) vulnerability in Protocol server that can result in Unauthorized data access. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fixed in 4.5.1.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 3.9 | Impact: 5.2

Affected Packages4 packages

▶debiandebian/mercurial< mercurial 4.5.2-1 (bookworm)

▶NVDmercurial/mercurial< 4.5.1

▶PyPImercurial/mercurial< 4.5.1

▶Debianmercurial/mercurial< 4.5.2-1+3

Also affects: Debian Linux 7.0, 8.0

🔴Vulnerability Details

OSV

Mercurial Incorrect Access Control vulnerability↗2022-05-13

▶

GHSA

Mercurial Incorrect Access Control vulnerability↗2022-05-13

▶

OSV

CVE-2018-1000132: Mercurial version 4↗2018-03-14

▶

📋Vendor Advisories

Red Hat

mercurial: HTTP server permissions bypass↗2018-03-08

▶

Debian

CVE-2018-1000132: mercurial - Mercurial version 4.5 and earlier contains a Incorrect Access Control (CWE-285) ...↗2018

▶

💬Community

Bugzilla

CVE-2018-1000132 mercurial: HTTP server permissions bypass [fedora-all]↗2018-03-08

▶

Bugzilla

CVE-2018-1000132 mercurial: HTTP server permissions bypass↗2018-03-08

▶