Published: 22/04/2019 Updated: 31/07/2020
CVSS v2 Base Score: 5.8 | Impact Score: 4.9 | Exploitability Score: 8.6
CVSS v3 Base Score: 5.9 | Impact Score: 3.6 | Exploitability Score: 2.2
VMScore: 516
Vector: AV:N/AC:M/Au:N/C:N/I:P/A:P

Vulnerability Summary

A flaw was found in Mercurial prior to 4.9. It was possible to use symlinks and subrepositories to defeat Mercurial's path-checking logic and write files outside a repository.

Vulnerability Trend

Vendor Advisories

Debian Bug report logs - #927674 CVE-2019-3902 Package: src:mercurial; Maintainer for src:mercurial is Python Applications Packaging Team <python-apps-team@listsaliothdebianorg>; Reported by: Moritz Muehlenhoff <jmm@debianorg> Date: Sat, 20 Apr 2019 22:36:02 UTC Severity: grave Tags: fixed-upstream, security, ups ...
Mercurial could be made to overwrite files ...
Oracle Solaris Third Party Bulletin - October 2019 Description The Oracle Solaris Third Party Bulletin announces patches for one or more security vulnerabilities addressed in third party software that is included in Oracle Solaris distributions Starting January 20, 2015, Third Party Bulletins are released on the same day when Oracle Cr ...