CVE-2008-2942 : Directory traversal vulnerability in patch.py in Mercurial 1.0.1 allows user-ass

Directory traversal vulnerability in patch.py in Mercurial 1.0.1 allows user-assisted attackers to modify arbitrary files via ".." (dot dot) sequences in a patch file.

Published 2008-06-30 20:41:00

Updated 2025-04-09 00:30:58

Source MITRE

View at NVD, CVE.org

Vulnerability category: Directory traversal

Products affected by CVE-2008-2942

Mercurial » Mercurial » Version: 1.0.1
cpe:2.3:a:mercurial:mercurial:1.0.1:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2008-2942

EPSS FAQ

0.58%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 66 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2008-2942

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
6.8	MEDIUM	AV:N/AC:M/Au:N/C:P/I:P/A:P	8.6	6.4	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial

CWE ids for CVE-2008-2942

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2008-2942

http://security.gentoo.org/glsa/glsa-200807-09.xml

Mercurial: Directory traversal (GLSA 200807-09) — Gentoo security
http://www.securityfocus.com/bid/30072
http://www.securityfocus.com/archive/1/493881/100/0/threaded
http://lists.opensuse.org/opensuse-security-announce/2008-07/msg00006.html

[security-announce] SUSE Security Summary Report SUSE-SR:2008:015 - openSUSE Security Announce - openSUSE Mailing Lists

CVEs referencing this url
https://issues.rpath.com/browse/RPL-2633
http://secunia.com/advisories/31110

About Secunia Research | Flexera
http://wiki.rpath.com/Advisories:rPSA-2008-0211
http://www.selenic.com/hg/rev/87c704ac92d4

Mercurial: 87c704ac92d4
Exploit
http://secunia.com/advisories/31167

About Secunia Research | Flexera

CVEs referencing this url
http://secunia.com/advisories/31108

About Secunia Research | Flexera
https://exchange.xforce.ibmcloud.com/vulnerabilities/43551

Mercurial patch.py directory traversal CVE-2008-2942 Vulnerability Report
http://www.openwall.com/lists/oss-security/2008/07/01/1

oss-security - Re: CVE id request mercurial:Insufficient input validation
http://www.openwall.com/lists/oss-security/2008/06/30/1

oss-security - CVE id request mercurial:Insufficient input validation

Jump to

Vulnerability Details : CVE-2008-2942

Products affected by CVE-2008-2942

Exploit prediction scoring system (EPSS) score for CVE-2008-2942

CVSS scores for CVE-2008-2942

CWE ids for CVE-2008-2942

References for CVE-2008-2942