GHSA-vrrc-3wwh-frgx

GitHub Security Advisory

Missing Authorization in Jenkins Mercurial Plugin

✓ GitHub Reviewed MODERATE Has CVE

Mercurial Plugin prior to 2.12, 2.10.1, 2.9.1, and 2.8.1 does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to obtain a list of names of configured Mercurial installations.

Mercurial Plugin 2.12, 2.10.1, 2.9.1, and 2.8.1 performs permission checks when listing configured Mercurial installations.

Maven org.jenkins-ci.plugins:mercurial

Affected versions: 2.11 (fixed in 2.12)

Maven org.jenkins-ci.plugins:mercurial

Affected versions: 2.10 (fixed in 2.10.1)

Maven org.jenkins-ci.plugins:mercurial

Affected versions: 2.9 (fixed in 2.9.1)

Maven org.jenkins-ci.plugins:mercurial

Affected versions: 0 (fixed in 2.8.1)

CVE-2020-2306

GHSA ID

GHSA-vrrc-3wwh-frgx

Published

May 24, 2022 5:33 PM

Last Modified

May 24, 2023 1:43 PM

CVSS Score

5.0 /10

Primary Ecosystem

Maven

Primary Package

org.jenkins-ci.plugins:mercurial

GitHub Reviewed

✓ Yes

Last updated: July 5, 2025 6:26 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.