CVE-2018-1000112 — Incorrect Authorization in Jenkins Mercurial Plugin

Description

An improper authorization vulnerability exists in Jenkins Mercurial Plugin version 2.2 and earlier in MercurialStatus.java that allows an attacker with network access to obtain a list of nodes and users.

How to fix CVE-2018-1000112

To remediate CVE-2018-1000112, upgrade the affected package to a fixed version below.

Maven/org.jenkins-ci.plugins:mercurial—upgrade to 2.3 or later

Is CVE-2018-1000112 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 2.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References (3)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2018-1000112
WEBgithub.com/jenkinsci/mercurial-plugin/commit/54b4f82e80c89d51b12bc64258f6b59e98b0c16a
WEBjenkins.io/security/advisory/2018-02-26/#SECURITY-726