CVE-2020-2306

A missing permission check in Jenkins Mercurial Plugin 2.11 and earlier allows attackers with Overall/Read permission to obtain a list of names of configured Mercurial installations.

References

https://www.jenkins.io/security/advisory/2020-11-04/#SECURITY-2104

Affected packages

Git / github.com/jenkinsci/mercurial-plugin

Affected ranges

Type

GIT

Repo

https://github.com/jenkinsci/mercurial-plugin

Events

Introduced

Last affected

1b765055ee8d483ca5c5b72210f1cd57493c128d

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.11"
        }
    ]
}

Affected versions

mercurial-1.*

mercurial-1.35

mercurial-1.36

mercurial-1.37

mercurial-1.38

mercurial-1.39

mercurial-1.40

mercurial-1.41

mercurial-1.42

mercurial-1.43

mercurial-1.44

mercurial-1.45

mercurial-1.46

mercurial-1.47

mercurial-1.48

mercurial-1.48-beta-1

mercurial-1.49

mercurial-1.50

mercurial-1.50-beta-1

mercurial-1.50-beta-2

mercurial-1.51

mercurial-1.51-beta-1

mercurial-1.51-beta-2

mercurial-1.51-beta-3

mercurial-1.52

mercurial-1.53

mercurial-1.54

mercurial-1.55

mercurial-1.56

mercurial-1.57

mercurial-1.58

mercurial-1.58-beta-1

mercurial-1.59

mercurial-1.60

mercurial-1.61

mercurial-2.*

mercurial-2.0

mercurial-2.0-alpha-1

mercurial-2.0-alpha-4

mercurial-2.0-beta-1

mercurial-2.1

mercurial-2.10

mercurial-2.11

mercurial-2.2

mercurial-2.3

mercurial-2.4

mercurial-2.5

mercurial-2.6

mercurial-2.7

mercurial-2.8

mercurial-2.9

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-2306.json"