Mercurial Plugin prior to 2.12, 2.10.1, 2.9.1, and 2.8.1 does not perform a permission check in an HTTP endpoint.
This allows attackers with Overall/Read permission to obtain a list of names of configured Mercurial installations.
Mercurial Plugin 2.12, 2.10.1, 2.9.1, and 2.8.1 performs permission checks when listing configured Mercurial installations.
{ "nvd_published_at": "2020-11-04T15:15:00Z", "cwe_ids": [ "CWE-862" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2022-06-23T23:20:17Z" }