VulnerableCode Package Details - pkg:maven/org.jenkins-ci.plugins/mercurial@2.9.1

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-62bs-bqfj-bubj	XXE vulnerability in Jenkins Mercurial Plugin Jenkins Mercurial Plugin prior to 2.12, 2.10.1, 2.9.1, and 2.8.1 does not configure its XML changelog parser to prevent XML external entity (XXE) attacks. This allows attackers able to control an agent process to have Jenkins parse a crafted changelog file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery. Mercurial Plugin 2.12, 2.10.1, 2.9.1, and 2.8.1 disables external entity resolution for its XML parser.	CVE-2020-2305 GHSA-x58r-wxc3-7pqr
VCID-pdf8-znrf-3ffv	Missing Authorization in Jenkins Mercurial Plugin Mercurial Plugin prior to 2.12, 2.10.1, 2.9.1, and 2.8.1 does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to obtain a list of names of configured Mercurial installations. Mercurial Plugin 2.12, 2.10.1, 2.9.1, and 2.8.1 performs permission checks when listing configured Mercurial installations.	CVE-2020-2306 GHSA-vrrc-3wwh-frgx

Vulnerability

Summary

Aliases

VCID-62bs-bqfj-bubj

XXE vulnerability in Jenkins Mercurial Plugin Jenkins Mercurial Plugin prior to 2.12, 2.10.1, 2.9.1, and 2.8.1 does not configure its XML changelog parser to prevent XML external entity (XXE) attacks. This allows attackers able to control an agent process to have Jenkins parse a crafted changelog file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery. Mercurial Plugin 2.12, 2.10.1, 2.9.1, and 2.8.1 disables external entity resolution for its XML parser.

CVE-2020-2305
GHSA-x58r-wxc3-7pqr

VCID-pdf8-znrf-3ffv

Missing Authorization in Jenkins Mercurial Plugin Mercurial Plugin prior to 2.12, 2.10.1, 2.9.1, and 2.8.1 does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to obtain a list of names of configured Mercurial installations. Mercurial Plugin 2.12, 2.10.1, 2.9.1, and 2.8.1 performs permission checks when listing configured Mercurial installations.

CVE-2020-2306
GHSA-vrrc-3wwh-frgx

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T16:01:49.786107+00:00	GHSA Importer	Fixing	VCID-62bs-bqfj-bubj	https://github.com/advisories/GHSA-x58r-wxc3-7pqr	38.0.0
2026-04-01T16:01:49.465660+00:00	GHSA Importer	Fixing	VCID-pdf8-znrf-3ffv	https://github.com/advisories/GHSA-vrrc-3wwh-frgx	38.0.0
2026-04-01T13:11:56.550065+00:00	GithubOSV Importer	Fixing	VCID-pdf8-znrf-3ffv	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-vrrc-3wwh-frgx/GHSA-vrrc-3wwh-frgx.json	38.0.0
2026-04-01T13:10:37.379488+00:00	GithubOSV Importer	Fixing	VCID-62bs-bqfj-bubj	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-x58r-wxc3-7pqr/GHSA-x58r-wxc3-7pqr.json	38.0.0