CVE-2018-1000132
unknown
CVSS v3
—
CVSS v2
—
VIR risk
—
Description
Mercurial version 4.5 and earlier contains a Incorrect Access Control (CWE-285) vulnerability in Protocol server that can result in Unauthorized data access. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fixed in 4.5.1.
Predictions
Exploit likelihood
30%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2018-1000132
Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2018-1000132.html
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| sles | affected | | |
| debian | bookworm | fixed | 4.5.2-1 |
| debian | bullseye | fixed | 4.5.2-1 |
| debian | forky | fixed | 4.5.2-1 |
| debian | sid | fixed | 4.5.2-1 |
| debian | trixie | fixed | 4.5.2-1 |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| PyPI | mercurial | <4.5.1 | 4.5.1 |
References
- https://nvd.nist.gov/vuln/detail/CVE-2018-1000132
- https://access.redhat.com/errata/RHSA-2019:2276
- https://github.com/pypa/advisory-database/tree/main/vulns/mercurial/PYSEC-2018-87.yaml
- https://lists.debian.org/debian-lts-announce/2018/03/msg00034.html
- https://lists.debian.org/debian-lts-announce/2018/07/msg00005.html
- https://lists.debian.org/debian-lts-announce/2020/07/msg00032.html
- https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.5.1_.2F_4.5.2_.282018-03-06.29
- https://www.suse.com/security/cve/CVE-2018-1000132.html
- https://security-tracker.debian.org/tracker/CVE-2018-1000132
Verify integrity in audit chain (admin only). AS-IS.