VulnerableCode Package Details - pkg:maven/org.jenkins-ci.plugins/mercurial@2.10

Search for packages

Vulnerability	Summary	Fixed by
VCID-62bs-bqfj-bubj Aliases: CVE-2020-2305 GHSA-x58r-wxc3-7pqr	XXE vulnerability in Jenkins Mercurial Plugin Jenkins Mercurial Plugin prior to 2.12, 2.10.1, 2.9.1, and 2.8.1 does not configure its XML changelog parser to prevent XML external entity (XXE) attacks. This allows attackers able to control an agent process to have Jenkins parse a crafted changelog file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery. Mercurial Plugin 2.12, 2.10.1, 2.9.1, and 2.8.1 disables external entity resolution for its XML parser.	2.10.1 Affected by 0 other vulnerabilities. 2.12 Affected by 0 other vulnerabilities.
VCID-pdf8-znrf-3ffv Aliases: CVE-2020-2306 GHSA-vrrc-3wwh-frgx	Missing Authorization in Jenkins Mercurial Plugin Mercurial Plugin prior to 2.12, 2.10.1, 2.9.1, and 2.8.1 does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to obtain a list of names of configured Mercurial installations. Mercurial Plugin 2.12, 2.10.1, 2.9.1, and 2.8.1 performs permission checks when listing configured Mercurial installations.	2.10.1 Affected by 0 other vulnerabilities. 2.12 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-62bs-bqfj-bubj
Aliases:
CVE-2020-2305
GHSA-x58r-wxc3-7pqr

XXE vulnerability in Jenkins Mercurial Plugin Jenkins Mercurial Plugin prior to 2.12, 2.10.1, 2.9.1, and 2.8.1 does not configure its XML changelog parser to prevent XML external entity (XXE) attacks. This allows attackers able to control an agent process to have Jenkins parse a crafted changelog file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery. Mercurial Plugin 2.12, 2.10.1, 2.9.1, and 2.8.1 disables external entity resolution for its XML parser.

2.10.1
Affected by 0 other vulnerabilities.

2.12
Affected by 0 other vulnerabilities.

VCID-pdf8-znrf-3ffv
Aliases:
CVE-2020-2306
GHSA-vrrc-3wwh-frgx

Missing Authorization in Jenkins Mercurial Plugin Mercurial Plugin prior to 2.12, 2.10.1, 2.9.1, and 2.8.1 does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to obtain a list of names of configured Mercurial installations. Mercurial Plugin 2.12, 2.10.1, 2.9.1, and 2.8.1 performs permission checks when listing configured Mercurial installations.

2.10.1
Affected by 0 other vulnerabilities.

2.12
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T16:01:49.554670+00:00	GHSA Importer	Affected by	VCID-pdf8-znrf-3ffv	https://github.com/advisories/GHSA-vrrc-3wwh-frgx	38.0.0
2026-04-01T16:01:49.352797+00:00	GHSA Importer	Affected by	VCID-62bs-bqfj-bubj	https://github.com/advisories/GHSA-x58r-wxc3-7pqr	38.0.0
2026-04-01T13:11:56.530599+00:00	GithubOSV Importer	Affected by	VCID-pdf8-znrf-3ffv	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-vrrc-3wwh-frgx/GHSA-vrrc-3wwh-frgx.json	38.0.0
2026-04-01T13:10:37.355453+00:00	GithubOSV Importer	Affected by	VCID-62bs-bqfj-bubj	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-x58r-wxc3-7pqr/GHSA-x58r-wxc3-7pqr.json	38.0.0