CVE-2019-3902 - OpenCVE

A flaw was found in Mercurial before 4.9. It was possible to use symlinks and subrepositories to defeat Mercurial's path-checking logic and write files outside a repository.

No CVSS v4.0

No CVSS v3.1

Attack Vector Local

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:N/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Debian	Debian Linux
Mercurial	Mercurial
Redhat	Enterprise Linux

Configuration 1 [-]

cpe:2.3:a:mercurial:mercurial:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:o:debian:debian_linux:8.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux:7.0:::::::*

No data.

References

Link	Providers
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3902
https://lists.debian.org/debian-lts-announce/2019/04/msg00024.html
https://lists.debian.org/debian-lts-announce/2020/07/msg00032.html
https://nvd.nist.gov/vuln/detail/CVE-2019-3902
https://usn.ubuntu.com/4086-1/
https://www.cve.org/CVERecord?id=CVE-2019-3902
https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.9_.282019-02-01.29

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2019-04-22T15:29:13

Updated: 2024-08-04T19:26:26.699Z

Reserved: 2019-01-03T00:00:00

Link: CVE-2019-3902

Vulnrichment

No data.

NVD

Status : Modified

Published: 2019-04-22T16:29:01.913

Modified: 2020-07-31T13:15:12.210

Link: CVE-2019-3902

Redhat

Severity : Moderate

Publid Date: 2019-03-13T00:00:00Z

Links: CVE-2019-3902 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "mercurial", "vendor": "The Mercurial Project", "versions": [{"status": "affected", "version": "before 4.9"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in Mercurial before 4.9. It was possible to use symlinks and subrepositories to defeat Mercurial's path-checking logic and write files outside a repository."}], "metrics": [{"cvssV3_0": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "CWE-22", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-07-31T12:06:06", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3902"}, {"name": "[debian-lts-announce] 20190425 [SECURITY] [DLA 1764-1] mercurial security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2019/04/msg00024.html"}, {"tags": ["x_refsource_MISC"], "url": "https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.9_.282019-02-01.29"}, {"name": "USN-4086-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/4086-1/"}, {"name": "[debian-lts-announce] 20200731 [SECURITY] [DLA 2293-1] mercurial security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00032.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2019-3902", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "mercurial", "version": {"version_data": [{"version_value": "before 4.9"}]}}]}, "vendor_name": "The Mercurial Project"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A flaw was found in Mercurial before 4.9. It was possible to use symlinks and subrepositories to defeat Mercurial's path-checking logic and write files outside a repository."}]}, "impact": {"cvss": [[{"vectorString": "5.1/CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.0"}]]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-22"}]}]}, "references": {"reference_data": [{"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3902", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3902"}, {"name": "[debian-lts-announce] 20190425 [SECURITY] [DLA 1764-1] mercurial security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2019/04/msg00024.html"}, {"name": "https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.9_.282019-02-01.29", "refsource": "MISC", "url": "https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.9_.282019-02-01.29"}, {"name": "USN-4086-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4086-1/"}, {"name": "[debian-lts-announce] 20200731 [SECURITY] [DLA 2293-1] mercurial security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00032.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T19:26:26.699Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3902"}, {"name": "[debian-lts-announce] 20190425 [SECURITY] [DLA 1764-1] mercurial security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2019/04/msg00024.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.9_.282019-02-01.29"}, {"name": "USN-4086-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "https://usn.ubuntu.com/4086-1/"}, {"name": "[debian-lts-announce] 20200731 [SECURITY] [DLA 2293-1] mercurial security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00032.html"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2019-3902", "datePublished": "2019-04-22T15:29:13", "dateReserved": "2019-01-03T00:00:00", "dateUpdated": "2024-08-04T19:26:26.699Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mercurial:mercurial:*:*:*:*:*:*:*:*", "matchCriteriaId": "306D4ED1-D257-4C53-BF66-602C3BBB595D", "versionEndExcluding": "4.9", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in Mercurial before 4.9. It was possible to use symlinks and subrepositories to defeat Mercurial's path-checking logic and write files outside a repository."}, {"lang": "es", "value": "Se encontr\u00f3 un defecto en Mercurial, en versiones anteriores a la 4.9. Era posible utilizar enlaces simb\u00f3licos y subrepositorios para acabar con la l\u00f3gica de comprobaci\u00f3n de rutas de Mercurial y escribir archivos fuera de un repositorio."}], "id": "CVE-2019-3902", "lastModified": "2020-07-31T13:15:12.210", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.8, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.0"}, "exploitabilityScore": 1.4, "impactScore": 3.6, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2019-04-22T16:29:01.913", "references": [{"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3902"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2019/04/msg00024.html"}, {"source": "secalert@redhat.com", "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00032.html"}, {"source": "secalert@redhat.com", "url": "https://usn.ubuntu.com/4086-1/"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.9_.282019-02-01.29"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-59"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-22"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"bugzilla": {"description": "mercurial: Path-checking logic bypass via symlinks and subrepositories", "id": "1696025", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1696025"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.1", "cvss3_scoring_vector": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "status": "draft"}, "cwe": "CWE-22", "details": ["A flaw was found in Mercurial before 4.9. It was possible to use symlinks and subrepositories to defeat Mercurial's path-checking logic and write files outside a repository.", "Starting with version 1.5.3, Mercurial allows environment variable expansion on path names for sub repositories when creating it or cloning a parent repository, but it doesn't validate whether the final path name outside the repository root directory. An attacker can leverage this weakness using a combination of symbolic links and environment variables to craft a tampered repository, leading Mercurial to write files outside the repository as long the destination location is empty."], "name": "CVE-2019-3902", "package_state": [{"cpe": "cpe:/a:redhat:ansible_tower:3", "fix_state": "Not affected", "package_name": "mercurial", "product_name": "Red Hat Ansible Tower 3"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "mercurial", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Will not fix", "package_name": "mercurial", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "mercurial", "product_name": "Red Hat Enterprise Linux 8"}], "public_date": "2019-03-13T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-3902\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-3902\nhttps://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.9_.282019-02-01.29"], "statement": "This issue affects the versions of mercurial as shipped with Red Hat Enterprise Linux 7. Red Hat Product Security has rated this issue as having a security impact of Moderate. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.", "threat_severity": "Moderate", "upstream_fix": "mercurial 4.9"}