Vulnerabilities > Mercurial > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-10-29 | CVE-2010-4237 | Improper Certificate Validation vulnerability in Mercurial Mercurial before 1.6.4 fails to verify the Common Name field of SSL certificates which allows remote attackers who acquire a certificate signed by a Certificate Authority to perform a man-in-the-middle attack. | 4.3 |
| 2019-04-22 | CVE-2019-3902 | Link Following vulnerability in multiple products A flaw was found in Mercurial before 4.9. | 5.8 |
| 2018-10-04 | CVE-2018-17983 | Out-of-bounds Read vulnerability in Mercurial cext/manifest.c in Mercurial before 4.7.2 has an out-of-bounds read during parsing of a malformed manifest entry. | 6.4 |
| 2018-07-06 | CVE-2018-13348 | Improper Input Validation vulnerability in Mercurial The mpatch_decode function in mpatch.c in Mercurial before 4.6.1 mishandles certain situations where there should be at least 12 bytes remaining after the current position in the patch data, but actually are not, aka OVE-20180430-0001. | 5.0 |
| 2018-07-06 | CVE-2018-13346 | Improper Input Validation vulnerability in Mercurial The mpatch_apply function in mpatch.c in Mercurial before 4.6.1 incorrectly proceeds in cases where the fragment start is past the end of the original data, aka OVE-20180430-0004. | 5.0 |
| 2018-03-14 | CVE-2018-1000132 | Incorrect Permission Assignment for Critical Resource vulnerability in multiple products Mercurial version 4.5 and earlier contains a Incorrect Access Control (CWE-285) vulnerability in Protocol server that can result in Unauthorized data access. | 6.4 |
| 2017-10-05 | CVE-2017-1000115 | Link Following vulnerability in multiple products Mercurial prior to version 4.3 is vulnerable to a missing symlink check that can malicious repositories to modify files outside the repository | 5.0 |
| 2016-05-09 | CVE-2016-3105 | Improper Access Control vulnerability in multiple products The convert extension in Mercurial before 3.8 might allow context-dependent attackers to execute arbitrary code via a crafted git repository name. | 6.8 |
| 2016-04-13 | CVE-2016-3069 | Improper Input Validation vulnerability in multiple products Mercurial before 3.7.3 allows remote attackers to execute arbitrary code via a crafted name when converting a Git repository. | 6.8 |
| 2016-04-13 | CVE-2016-3068 | Improper Input Validation vulnerability in multiple products Mercurial before 3.7.3 allows remote attackers to execute arbitrary code via a crafted git ext:: URL when cloning a subrepository. | 6.8 |