CVE-2019-3902
Published: 22 April 2019
A flaw was found in Mercurial before 4.9. It was possible to use symlinks and subrepositories to defeat Mercurial's path-checking logic and write files outside a repository.
From the Ubuntu security team
It was discovered that Mercurial mishandled symlinks in subrepositories. An attacker could use this vulnerability to write arbitrary files to the target's filesystem.
Priority
CVSS 3 base score: 5.9
Status
Package | Release | Status |
---|---|---|
mercurial Launchpad, Ubuntu, Debian |
bionic |
Released
(4.5.3-1ubuntu2.2)
|
cosmic |
Ignored
(reached end-of-life)
|
|
disco |
Released
(4.8.2-1ubuntu3.19.04.1)
|
|
eoan |
Not vulnerable
(4.8.2-1ubuntu4)
|
|
focal |
Not vulnerable
(4.8.2-1ubuntu4)
|
|
groovy |
Not vulnerable
(4.8.2-1ubuntu4)
|
|
hirsute |
Not vulnerable
(4.8.2-1ubuntu4)
|
|
impish |
Not vulnerable
(4.8.2-1ubuntu4)
|
|
jammy |
Not vulnerable
(4.8.2-1ubuntu4)
|
|
precise |
Does not exist
|
|
trusty |
Released
(2.8.2-1ubuntu1.4+esm1)
|
|
upstream |
Released
(4.9-1)
|
|
xenial |
Ignored
(end of standard support, was needed)
|