Vulnerability CVE-2018-1000132

Vulnerability Name:

CVE-2018-1000132 (CCN-140435)

Assigned:

2018-03-06

Published:

2018-03-06

Updated:

2020-07-31

Summary:

Mercurial version 4.5 and earlier contains a Incorrect Access Control (CWE-285) vulnerability in Protocol server that can result in Unauthorized data access. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fixed in 4.5.1.

CVSS v3 Severity:

9.1 Critical (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)
7.9 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): None

7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): None Availibility (A): None

6.5 Medium (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
5.7 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

6.4 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): None

7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): None Availibility (A): None

Vulnerability Type:

CWE-732
CWE-20

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2018-1000132

Source: REDHAT
Type: UNKNOWN
RHSA-2019:2276

Source: XF
Type: UNKNOWN
mercurial-cve20181000132-unauth-access(140435)

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20180330 [SECURITY] [DLA 1331-1] mercurial security update

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20180705 [SECURITY] [DLA 1414-1] mercurial security update

Source: MLIST
Type: UNKNOWN
[debian-lts-announce] 20200731 [SECURITY] [DLA 2293-1] mercurial security update

Source: CCN
Type: Mercurial Web site
Mercurial 4.5.1 / 4.5.2 (2018-03-06)

Source: CONFIRM
Type: Release Notes, Vendor Advisory
https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.5.1_.2F_4.5.2_.282018-03-06.29

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2018-1000132

Vulnerable Configuration:

Configuration 1:

cpe:/a:mercurial:mercurial:*:*:*:*:*:*:*:* (Version < 4.5.1)

Configuration 2:

cpe:/o:debian:debian_linux:7.0:*:*:*:*:*:*:*

OR cpe:/o:debian:debian_linux:8.0:*:*:*:*:*:*:*

Configuration RedHat 1:

cpe:/o:redhat:enterprise_linux:7:*:*:*:*:*:*:*

Configuration RedHat 2:

cpe:/o:redhat:enterprise_linux:7::client:*:*:*:*:*

Configuration RedHat 3:

cpe:/o:redhat:enterprise_linux:7::computenode:*:*:*:*:*

Configuration RedHat 4:

cpe:/o:redhat:enterprise_linux:7::server:*:*:*:*:*

Configuration RedHat 5:

cpe:/o:redhat:enterprise_linux:7::workstation:*:*:*:*:*

Configuration CCN 1:

cpe:/a:mercurial:mercurial:4.5:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20181000132	V	CVE-2018-1000132	2023-06-22
oval:org.opensuse.security:def:7718	P	mercurial-5.9.1-150400.1.8 on GA media (Moderate)	2023-06-12
oval:org.opensuse.security:def:3124	P	libFLAC++6-1.3.0-11.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:94754	P	mercurial-5.9.1-150400.1.8 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:1305	P	Security update for the Linux Kernel (Live Patch 5 for SLE 15 SP3) (Important)	2022-04-14
oval:org.opensuse.security:def:853	P	Security update for xz (Important)	2022-04-12
oval:org.opensuse.security:def:112980	P	mercurial-5.9.1-2.1 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:10441	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:10428	P	Security update for MozillaFirefox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:10440	P	Security update for MozillaFirefox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:952	P	Security update for python39-pip (Moderate)	2022-01-12
oval:org.opensuse.security:def:10196	P	Security update for net-snmp (Important)	2021-12-27
oval:org.opensuse.security:def:10432	P	Security update for p11-kit (Important)	2021-12-22
oval:org.opensuse.security:def:10377	P	Security update for xen (Moderate)	2021-12-09
oval:org.opensuse.security:def:10352	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:64594	P	Security update for python-Pygments (Important)	2021-10-20
oval:org.opensuse.security:def:106427	P	mercurial-5.9.1-2.1 on GA media (Moderate)	2021-10-01
oval:org.opensuse.security:def:71381	P	python3-pycrypto-2.6.1-1.28 on GA media (Moderate)	2021-09-21
oval:org.opensuse.security:def:71268	P	libjbig-devel-2.1-1.31 on GA media (Moderate)	2021-09-21
oval:org.opensuse.security:def:10150	P	Security update for xen (Important)	2021-09-03
oval:org.opensuse.security:def:10128	P	Security update for MozillaFirefox (Important)	2021-08-17
oval:org.opensuse.security:def:47703	P	libevent-2_0-5-2.0.21-6.3.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47474	P	ppc64-diag-2.7.3-1.17 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48026	P	gnutls-3.3.27-3.3.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47389	P	libpango-1_0-0-1.40.1-9.5 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47374	P	libmicrohttpd10-0.9.30-5.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48075	P	libXext6-1.3.2-4.3.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47802	P	libvdpau1-1.1.1-6.73 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47835	P	openssh-7.2p2-74.25.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47488	P	quagga-0.99.22.1-15.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47473	P	powerpc-utils-1.3.3-5.3 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48174	P	libpng16-16-1.6.8-14.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47510	P	syslog-service-2.0-778.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48289	P	python-urllib3-1.22-3.17.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47934	P	zoo-2.10-1020.56 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47375	P	libmms0-0.6.2-15.8 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47927	P	xorg-x11-libs-7.6-45.14 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47609	P	fontconfig-2.11.1-7.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:68028	P	Security update for the Linux Kernel (Live Patch 16 for SLE 15 SP1) (Important)	2021-07-27
oval:org.opensuse.security:def:10689	P	Security update for bluez (Moderate)	2021-07-22
oval:org.opensuse.security:def:1773	P	Security update for MozillaThunderbird (Important)	2021-07-22
oval:org.opensuse.security:def:10120	P	Security update for curl (Moderate)	2021-07-21
oval:org.opensuse.security:def:11101	P	Security update for fossil (Moderate)	2021-07-17
oval:org.opensuse.security:def:1473	P	Security update for gupnp (Important)	2021-06-24
oval:org.opensuse.security:def:10277	P	Security update for spice-gtk (Moderate)	2021-06-10
oval:org.opensuse.security:def:48388	P	cpio-2.11-29.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:11391	P	libproxy1-0.4.11-11.2 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48500	P	libgypsy0-0.9-6.22 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:16615	P	mercurial-2.8.2-15.13.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48373	P	augeas-1.2.0-10.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48701	P	pidgin-otr-4.0.0-6.18 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:62862	P	mercurial-4.5.2-1.19 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:124621	P	mercurial-2.8.2-15.13.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48599	P	perl-XML-LibXML-2.0019-5.3 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48472	P	libXrender1-0.9.8-3.55 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48531	P	libotr5-4.0.0-9.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48435	P	gpgme-1.5.1-1.11 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48630	P	sysconfig-0.84.0-13.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:11413	P	libvte9-0.28.2-17.83 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48602	P	ppp-2.4.7-1.4 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:72581	P	mercurial-4.5.2-1.19 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48534	P	libpng12-0-1.2.50-13.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:10258	P	Security update for the Linux Kernel (Important)	2021-05-18
oval:org.opensuse.security:def:64681	P	Security update for p7zip (Moderate)	2021-05-04
oval:org.opensuse.security:def:10243	P	Security update for libnettle (Important)	2021-04-28
oval:org.opensuse.security:def:10419	P	Security update for ruby2.5 (Important)	2021-03-24
oval:org.opensuse.security:def:10664	P	Security update for the Linux Kernel (Important)	2021-02-09
oval:org.opensuse.security:def:10589	P	Security update for gimp (Important)	2020-12-28
oval:org.opensuse.security:def:4091	P	mercurial-2.8.2-15.13.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:16927	P	mercurial-2.8.2-15.13.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:17582	P	Security update for openssl (Important)	2020-12-01
oval:org.opensuse.security:def:67928	P	libplist++-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:17825	P	Security update for freerdp (Moderate)	2020-12-01
oval:org.opensuse.security:def:10462	P	libHX-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:18722	P	Security update for mercurial (Moderate)	2020-12-01
oval:org.opensuse.security:def:49692	P	librsvg-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:17758	P	Recommended update for git (Moderate)	2020-12-01
oval:org.opensuse.security:def:18036	P	Security update for jasper (Moderate)	2020-12-01
oval:org.opensuse.security:def:18696	P	Security update for mariadb (Important)	2020-12-01
oval:org.opensuse.security:def:10570	P	mercurial on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:10753	P	libksba-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:17616	P	Security update for MozillaFirefox, mozilla-nss (Important)	2020-12-01
oval:org.opensuse.security:def:49746	P	mercurial on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:17935	P	Security update for wireshark (Moderate)	2020-12-01
oval:org.opensuse.security:def:49860	P	perl-YAML-LibYAML on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:17574	P	Security update for xen (Important)	2020-12-01
oval:org.opensuse.security:def:10508	P	libipa_hbac-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:10731	P	libexpat-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:17789	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:18058	P	Security update for gc (Moderate)	2020-12-01
oval:org.opensuse.security:def:49914	P	mercurial on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:11079	P	libtool on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:17701	P	Security update for libssh (Moderate)	2020-12-01
oval:org.opensuse.security:def:18024	P	Security update for libxml2 (Moderate)	2020-12-01
oval:org.opensuse.security:def:17967	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:10555	P	libtool on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:10740	P	libgssglue-devel on GA media (Moderate)	2020-12-01
oval:com.redhat.rhsa:def:20192276	P	RHSA-2019:2276: mercurial security update (Moderate)	2019-08-06
oval:com.ubuntu.bionic:def:201810001320000000	V	CVE-2018-1000132 on Ubuntu 18.04 LTS (bionic) - medium.	2018-03-14
oval:com.ubuntu.artful:def:20181000132000	V	CVE-2018-1000132 on Ubuntu 17.10 (artful) - untriaged.	2018-03-14
oval:com.ubuntu.xenial:def:20181000132000	V	CVE-2018-1000132 on Ubuntu 16.04 LTS (xenial) - medium.	2018-03-14
oval:com.ubuntu.xenial:def:201810001320000000	V	CVE-2018-1000132 on Ubuntu 16.04 LTS (xenial) - medium.	2018-03-14
oval:com.ubuntu.bionic:def:20181000132000	V	CVE-2018-1000132 on Ubuntu 18.04 LTS (bionic) - medium.	2018-03-14
oval:com.ubuntu.cosmic:def:20181000132000	V	CVE-2018-1000132 on Ubuntu 18.10 (cosmic) - medium.	2018-03-14
oval:com.ubuntu.cosmic:def:201810001320000000	V	CVE-2018-1000132 on Ubuntu 18.10 (cosmic) - medium.	2018-03-14
oval:com.ubuntu.trusty:def:20181000132000	V	CVE-2018-1000132 on Ubuntu 14.04 LTS (trusty) - medium.	2018-03-14

BACK