{
  "threat_severity" : "Important",
  "public_date" : "2017-08-10T00:00:00Z",
  "bugzilla" : {
    "description" : "Mercurial: pathaudit: path traversal via symlink",
    "id" : "1480330",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1480330"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.4",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
    "status" : "verified"
  },
  "cwe" : "CWE-22",
  "details" : [ "Mercurial prior to version 4.3 is vulnerable to a missing symlink check that can malicious repositories to modify files outside the repository", "A vulnerability was found in the way Mercurial handles path auditing and caches the results. An attacker could abuse a repository with a series of commits mixing symlinks and regular files/directories to trick Mercurial into writing outside of a given repository." ],
  "acknowledgement" : "Red Hat would like to thank the Mercurial Security Team for reporting this issue.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2017-08-17T00:00:00Z",
    "advisory" : "RHSA-2017:2489",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7",
    "package" : "mercurial-0:2.6.2-8.el7_4"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Will not fix",
    "package_name" : "mercurial",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2017-1000115\nhttps://nvd.nist.gov/vuln/detail/CVE-2017-1000115\nhttps://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.3_.2F_4.3.1_.282017-08-10.29" ],
  "name" : "CVE-2017-1000115",
  "csaw" : false
}