CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 1CVE-2014-9462 – Gentoo Linux Security Advisory 201612-19
https://notcve.org/view.php?id=CVE-2014-9462
31 Mar 2015 — The _validaterepo function in sshpeer in Mercurial before 3.2.4 allows remote attackers to execute arbitrary commands via a crafted repository name in a clone command. La función _validaterepo en sshpeer en Mercurial anterior a 3.2.4 permite a atacantes remotos ejecutar comandos arbitrarios a través de un nombre de repositorio manipulado en un comando clon. Jesse Hertz of Matasano Security discovered that Mercurial, a distributed version control system, is prone to a command injection vulnerability via a cr... • http://chargen.matasano.com/chargen/2015/3/17/this-new-vulnerability-mercurial-command-injection-cve-2014-9462.html • CWE-20: Improper Input Validation •
CVSS: 9.8EPSS: 58%CPEs: 17EXPL: 1CVE-2014-9390 – Ubuntu Security Notice USN-2470-1
https://notcve.org/view.php?id=CVE-2014-9390
20 Dec 2014 — Git before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 on Windows and OS X; Mercurial before 3.2.3 on Windows and OS X; Apple Xcode before 6.2 beta 3; mine all versions before 08-12-2014; libgit2 all versions up to 0.21.2; Egit all versions before 08-12-2014; and JGit all versions before 08-12-2014 allow remote Git servers to execute arbitrary commands via a tree containing a crafted .git/config file with (1) an ignorable Unicode codepoint, (2) a git~1/config ... • https://packetstorm.news/files/id/129784 • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2008-4297
https://notcve.org/view.php?id=CVE-2008-4297
27 Sep 2008 — Mercurial before 1.0.2 does not enforce the allowpull permission setting for a pull operation from hgweb, which allows remote attackers to read arbitrary files from a repository via an "hg pull" request. Mercurial anterior a 1.0.2 no hace cumplir la configuración de permisos para una operación pull del hgweb, la cual permite a atacantes remotos leer arbitrariamente archivos de un repositorio a través de una petición "hg pull". • http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00004.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2008-2942
https://notcve.org/view.php?id=CVE-2008-2942
30 Jun 2008 — Directory traversal vulnerability in patch.py in Mercurial 1.0.1 allows user-assisted attackers to modify arbitrary files via ".." (dot dot) sequences in a patch file. Vulnerabilidad de salto de directorio en patch.py de Mercurial 1.0.1 permite a atacantes ayudados por el usuario a modificar archivos de su elección mediante secuencias ".." (punto punto) en un archivo patch. • http://lists.opensuse.org/opensuse-security-announce/2008-07/msg00006.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •