VIR Vulnerability Intelligence Relay

Package impact

python PyPI / mercurial

Severitycriticalhighmediumlowunknown
0
KEVHas exploit
Reset
CVE Severity CVSS Risk Published Description Impact
CVE-2017-1000116 critical 9.8 9.8 4y ago Mercurial prior to 4.3 did not adequately sanitize hostnames passed to ssh, leading to possible shell-injection attacks. archsusedebianredhat+1
CVE-2017-17458 critical 9.8 9.8 4y ago In Mercurial before 4.4.1, it is possible that a specially malformed repository can cause Git subrepositories to run arbitrary code in the form of a .git/hooks/post-update script checked into the rep… susedebianpython
CVE-2016-3105 high 8.8 8.8 4y ago The convert extension in Mercurial before 3.8 might allow context-dependent attackers to execute arbitrary code via a crafted git repository name. susedebianpython
CVE-2017-9462 high 8.8 8.8 9y ago In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and consequently execute arbitrary code, by using --debugger as a repository name. susedebianredhatpython
CVE-2016-3630 high 8.8 8.8 10y ago The binary delta decoder in Mercurial before 3.7.3 allows remote attackers to execute arbitrary code via a (1) clone, (2) push, or (3) pull command, related to (a) a list sizing rounding error and (b… susedebianfedorapython
CVE-2016-3069 high 8.8 8.8 10y ago Mercurial before 3.7.3 allows remote attackers to execute arbitrary code via a crafted name when converting a Git repository. susedebianfedoraredhat+1
CVE-2016-3068 high 8.8 8.8 10y ago Mercurial before 3.7.3 allows remote attackers to execute arbitrary code via a crafted git ext:: URL when cloning a subrepository. susedebianfedoraredhat+1
CVE-2014-9462 high 7.5 4y ago The _validaterepo function in sshpeer in Mercurial before 3.2.4 allows remote attackers to execute arbitrary commands via a crafted repository name in a clone command. debiansusepython
CVE-2017-1000115 high 7.5 7.5 9y ago Mercurial prior to version 4.3 is vulnerable to a missing symlink check that can malicious repositories to modify files outside the repository archsusedebianredhat+1
CVE-2014-9390 unknown 4y ago Git before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 on Windows and OS X; Mercurial before 3.2.3 on Windows and OS X; Apple Xcode before 6.2 beta 3; … debianjavapython
CVE-2018-17983 unknown 4y ago cext/manifest.c in Mercurial before 4.7.2 has an out-of-bounds read during parsing of a malformed manifest entry. susedebianpython
CVE-2018-13347 unknown 4y ago mpatch.c in Mercurial before 4.6.1 mishandles integer addition and subtraction, aka OVE-20180430-0002. susedebianpython
CVE-2018-1000132 unknown 4y ago Mercurial version 4.5 and earlier contains a Incorrect Access Control (CWE-285) vulnerability in Protocol server that can result in Unauthorized data access. This attack appear to be exploitable via … susedebianpython
CVE-2018-13346 unknown 4y ago The mpatch_apply function in mpatch.c in Mercurial before 4.6.1 incorrectly proceeds in cases where the fragment start is past the end of the original data, aka OVE-20180430-0004. susedebianpython
CVE-2018-13348 unknown 4y ago The mpatch_decode function in mpatch.c in Mercurial before 4.6.1 mishandles certain situations where there should be at least 12 bytes remaining after the current position in the patch data, but actu… susedebianpython
CVE-2008-2942 unknown 4y ago Mercurial Directory traversal vulnerability debianpython
CVE-2010-4237 unknown 4y ago Mercurial before 1.6.4 fails to verify the Common Name field of SSL certificates which allows remote attackers who acquire a certificate signed by a Certificate Authority to perform a man-in-the-midd… debianpython
CVE-2019-3902 unknown 4y ago A flaw was found in Mercurial before 4.9. It was possible to use symlinks and subrepositories to defeat Mercurial's path-checking logic and write files outside a repository. susedebianpython