Vulnerabilities > Mercurial > Mercurial > 3.3.2

DATE CVE VULNERABILITY TITLE RISK
2019-04-22 CVE-2019-3902 Link Following vulnerability in multiple products
A flaw was found in Mercurial before 4.9.
5.8
2018-10-04 CVE-2018-17983 Out-of-bounds Read vulnerability in Mercurial
cext/manifest.c in Mercurial before 4.7.2 has an out-of-bounds read during parsing of a malformed manifest entry.
network
low complexity
mercurial CWE-125
6.4
2018-07-06 CVE-2018-13348 Improper Input Validation vulnerability in Mercurial
The mpatch_decode function in mpatch.c in Mercurial before 4.6.1 mishandles certain situations where there should be at least 12 bytes remaining after the current position in the patch data, but actually are not, aka OVE-20180430-0001.
network
low complexity
mercurial CWE-20
5.0
2018-07-06 CVE-2018-13347 Integer Overflow or Wraparound vulnerability in Mercurial
mpatch.c in Mercurial before 4.6.1 mishandles integer addition and subtraction, aka OVE-20180430-0002.
network
low complexity
mercurial CWE-190
7.5
2018-07-06 CVE-2018-13346 Improper Input Validation vulnerability in Mercurial
The mpatch_apply function in mpatch.c in Mercurial before 4.6.1 incorrectly proceeds in cases where the fragment start is past the end of the original data, aka OVE-20180430-0004.
network
low complexity
mercurial CWE-20
5.0
2018-03-14 CVE-2018-1000132 Incorrect Permission Assignment for Critical Resource vulnerability in multiple products
Mercurial version 4.5 and earlier contains a Incorrect Access Control (CWE-285) vulnerability in Protocol server that can result in Unauthorized data access.
network
low complexity
mercurial debian CWE-732
6.4
2017-12-07 CVE-2017-17458 OS Command Injection vulnerability in multiple products
In Mercurial before 4.4.1, it is possible that a specially malformed repository can cause Git subrepositories to run arbitrary code in the form of a .git/hooks/post-update script checked into the repository.
network
low complexity
mercurial debian CWE-78
critical
10.0
2017-10-05 CVE-2017-1000116 OS Command Injection vulnerability in multiple products
Mercurial prior to 4.3 did not adequately sanitize hostnames passed to ssh, leading to possible shell-injection attacks.
network
low complexity
mercurial debian redhat CWE-78
critical
10.0
2017-10-05 CVE-2017-1000115 Link Following vulnerability in multiple products
Mercurial prior to version 4.3 is vulnerable to a missing symlink check that can malicious repositories to modify files outside the repository
network
low complexity
mercurial debian redhat CWE-59
5.0
2017-06-06 CVE-2017-9462 Incorrect Permission Assignment for Critical Resource vulnerability in multiple products
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and consequently execute arbitrary code, by using --debugger as a repository name.
network
low complexity
mercurial debian redhat CWE-732
critical
9.0