Fluid Attacks Database

Description

Mercurial before 1.0.2 does not enforce the allowpull permission setting for a pull operation from hgweb, which allows remote attackers to read arbitrary files from a repository via an "hg pull" request.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 12	mercurial	>=0 <1.0.1-5.1	1.0.1-5.1
debian 14	mercurial	>=0 <1.0.1-5.1	1.0.1-5.1
debian 11	mercurial	>=0 <1.0.1-5.1	1.0.1-5.1
debian 13	mercurial	>=0 <1.0.1-5.1	1.0.1-5.1

Aliases

1. CVE-2008-42972. NVD-2008-42973. OSV-DEBIAN-2008-42974. OSV-2008-42975. SECURITY-TRACKER-CVE-2008-4297

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.