CVE-2018-13348
HIGH7.5EPSS 0.66%Mercurial Improper Input Validation vulnerability
發布日:2022/5/13修改日:2026/4/28
描述
The mpatch_decode function in mpatch.c in Mercurial before 4.6.1 mishandles certain situations where there should be at least 12 bytes remaining after the current position in the patch data, but actually are not, aka OVE-20180430-0001.
受影響套件(3)
- Debian/mercurialfrom 0, < 4.6.1-1
- PyPI/mercurialfrom 0, < 4.6.1
- PyPI/mercurialfrom 0, < 4.6.1
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
參考連結(6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2018-13348
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2018-13348
- WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/mercurial/PYSEC-2018-90.yaml
- WEBhttps://lists.debian.org/debian-lts-announce/2020/07/msg00032.html
- WEBhttps://www.mercurial-scm.org/repo/hg/rev/90a274965de7
- WEBhttps://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.6.1_.282018-06-06.29