CVE-2019-3902 — Path Traversal in Mercurial

CWE-22 — Path Traversal CWE-59 — Link Following13 documents7 sources

Severity

5.9MEDIUMNVD

OSV9.1

EPSS

0.5%

top 32.70%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mercurial Debian Mercurial THE Mercurial Project Mercurial +2 more

Timeline

PublishedApr 22

Latest updateFeb 15

Description

A flaw was found in Mercurial before 4.9. It was possible to use symlinks and subrepositories to defeat Mercurial's path-checking logic and write files outside a repository.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages6 packages

▶debiandebian/mercurial< mercurial 4.9-1 (bookworm)

▶NVDmercurial/mercurial< 4.9

▶PyPImercurial/mercurial< 4.9

▶Debianmercurial/mercurial< 4.9-1+3

▶Ubuntumercurial/mercurial< 4.5.3-1ubuntu2.2+2

Also affects: Debian Linux 8.0, Enterprise Linux 7.0

🔴Vulnerability Details

OSV

Mercurial Path Traversal/Link Following vulnerability↗2022-02-15

▶

GHSA

Mercurial Path Traversal/Link Following vulnerability↗2022-02-15

▶

OSV

mercurial vulnerabilities↗2021-10-04

▶

OSV

mercurial vulnerabilities↗2021-03-16

▶

OSV

CVE-2019-3902: A flaw was found in Mercurial before 4↗2019-04-22

▶

📋Vendor Advisories

Ubuntu

Mercurial vulnerabilities↗2021-10-04

▶

Ubuntu

Mercurial vulnerabilities↗2021-03-16

▶

Ubuntu

Mercurial vulnerability↗2019-08-06

▶

Red Hat

mercurial: Path-checking logic bypass via symlinks and subrepositories↗2019-03-13

▶

Debian

CVE-2019-3902: mercurial - A flaw was found in Mercurial before 4.9. It was possible to use symlinks and su...↗2019

▶

💬Community

Bugzilla

CVE-2019-3902 mercurial: Path-checking logic bypass via symlinks and subrepositories↗2019-04-04

▶

Bugzilla

CVE-2019-3902 mercurial: Path-checking logic bypass via symlinks and subrepositories [fedora-all]↗2019-04-04

▶