Mercurial prior to 1.0.2 does not enforce the allowpull permission setting for a pull operation from hgweb, which allows remote malicious users to read arbitrary files from a repository via an "hg pull" request.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
mercurial mercurial |