CVE-2018-13348
Mercurial Improper Input Validation vulnerability
7.5
HIGH
CVSS 3.1
EPSS 0.66%
Description
The mpatch_decode function in mpatch.c in Mercurial before 4.6.1 mishandles certain situations where there should be at least 12 bytes remaining after the current position in the patch data, but actually are not, aka OVE-20180430-0001.
How to fix CVE-2018-13348
To remediate CVE-2018-13348, upgrade the affected package to a fixed version below.
- —upgrade to 4.6.1-1 or later
- —upgrade to 4.6.1 or later
- —upgrade to 4.6.1 or later
Is CVE-2018-13348 being exploited?
Low — EPSS is 0.7%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0, < 4.6.1-1
- from 0, < 4.6.1
- from 0, < 4.6.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |