CVE-2019-3902: Path Traversal
Published Apr 22, 2019
·Updated
A flaw was found in Mercurial before 4.9. It was possible to use symlinks and subrepositories to defeat Mercurial's path-checking logic and write files outside a repository.
Affected Software
5 affected componentsFixes available
pip/mercurial<4.9
4.9
Mercurial Mercurial<4.9
Debian Debian Linux=8.0
redhat Enterprise Linux=7.0
debian/mercurial
5.6.1-45.6.1-4+deb11u16.3.2-1+deb12u17.0.1-27.1.1-17.2-4
Event History
Apr 22, 2019
CVE Published
via MITRE·03:29 PM
Data Sourced
via MITRE·03:29 PM
DescriptionSeverityWeakness
Feb 15, 2022
Advisory Published
via GitHub·01:13 AM
Aug 4, 2024
Data Sourced
via Launchpad·07:35 PM
Description
Feb 23, 2026
Data Sourced
via Ubuntu·04:01 PM
RemedyDescriptionSeverityAffected Software
Feb 24, 2026
Data Sourced
via Debian·04:02 PM
DescriptionAffected Software
Frequently Asked Questions
1
What is CVE-2019-3902?
CVE-2019-3902 is a vulnerability found in Mercurial before version 4.9 that allows the use of symlinks and subrepositories to write files outside a repository.
2
How does CVE-2019-3902 affect Mercurial?
CVE-2019-3902 affects Mercurial before version 4.9 by defeating Mercurial's path-checking logic and enabling the writing of files outside a repository.
3
What is the severity of CVE-2019-3902?
The severity of CVE-2019-3902 is medium with a severity value of 5.9.
4
Which software versions are affected by CVE-2019-3902?
Mercurial before version 4.9, Debian Linux 8.0, and Redhat Enterprise Linux 7.0 are affected by CVE-2019-3902.
5
How can CVE-2019-3902 be fixed?
To fix CVE-2019-3902, users should update Mercurial to version 4.9 or higher.