Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:pypi/mercurial@1.7.1

Type pypi

Namespace

Name mercurial

Version 1.7.1

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 4.9

Latest_non_vulnerable_version 4.9

Affected_by_vulnerabilities

url VCID-16q8-up17-hkd7

vulnerability_id VCID-16q8-up17-hkd7

summary Mercurial before 3.7.3 allows remote attackers to execute arbitrary code via a crafted name when converting a Git repository.

references

reference_url	http://lists.fedoraproject.org/pipermail/package-announce/2016-April/181505.html
reference_id
reference_type
scores
url	http://lists.fedoraproject.org/pipermail/package-announce/2016-April/181505.html

reference_url	http://lists.fedoraproject.org/pipermail/package-announce/2016-April/181542.html
reference_id
reference_type
scores
url	http://lists.fedoraproject.org/pipermail/package-announce/2016-April/181542.html

reference_url	http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00016.html
reference_id
reference_type
scores
url	http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00016.html

reference_url	http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00017.html
reference_id
reference_type
scores
url	http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00017.html

reference_url	http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00018.html
reference_id
reference_type
scores
url	http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00018.html

reference_url	http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00043.html
reference_id
reference_type
scores
url	http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00043.html

reference_url	http://rhn.redhat.com/errata/RHSA-2016-0706.html
reference_id
reference_type
scores
url	http://rhn.redhat.com/errata/RHSA-2016-0706.html

reference_url	https://github.com/pypa/advisory-database/tree/main/vulns/mercurial/PYSEC-2016-27.yaml
reference_id
reference_type
scores
url	https://github.com/pypa/advisory-database/tree/main/vulns/mercurial/PYSEC-2016-27.yaml

reference_url	https://security.gentoo.org/glsa/201612-19
reference_id
reference_type
scores
url	https://security.gentoo.org/glsa/201612-19

reference_url	https://selenic.com/repo/hg-stable/rev/197eed39e3d5
reference_id
reference_type
scores
url	https://selenic.com/repo/hg-stable/rev/197eed39e3d5

reference_url	https://selenic.com/repo/hg-stable/rev/80cac1de6aea
reference_id
reference_type
scores
url	https://selenic.com/repo/hg-stable/rev/80cac1de6aea

reference_url	https://selenic.com/repo/hg-stable/rev/ae279d4a19e9
reference_id
reference_type
scores
url	https://selenic.com/repo/hg-stable/rev/ae279d4a19e9

reference_url	https://selenic.com/repo/hg-stable/rev/b732e7f2aba4
reference_id
reference_type
scores
url	https://selenic.com/repo/hg-stable/rev/b732e7f2aba4

reference_url	https://selenic.com/repo/hg-stable/rev/cdda7b96afff
reference_id
reference_type
scores
url	https://selenic.com/repo/hg-stable/rev/cdda7b96afff

reference_url	https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_3.7.3_.282016-3-29.29
reference_id
reference_type
scores
url	https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_3.7.3_.282016-3-29.29

reference_url	http://www.debian.org/security/2016/dsa-3542
reference_id
reference_type
scores
url	http://www.debian.org/security/2016/dsa-3542

reference_url	http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
reference_id
reference_type
scores
url	http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html

reference_url	http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html
reference_id
reference_type
scores
url	http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2016-3069
reference_id	CVE-2016-3069
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2016-3069

reference_url	https://github.com/advisories/GHSA-8fm8-7365-5rh2
reference_id	GHSA-8fm8-7365-5rh2
reference_type
scores
url	https://github.com/advisories/GHSA-8fm8-7365-5rh2

fixed_packages

url pkg:pypi/mercurial@3.7.3

purl pkg:pypi/mercurial@3.7.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1w83-uq69-skeb

vulnerability	VCID-71pc-96mg-ufbt

vulnerability	VCID-b7rg-cd13-aygs

vulnerability	VCID-ex2f-cn1w-y7h5

vulnerability	VCID-h8ah-p1pj-3bc3

vulnerability	VCID-knzd-ju2a-hbe5

vulnerability	VCID-q5zm-xfyx-u7bn

vulnerability	VCID-tsye-4m91-6ba1

vulnerability	VCID-utkv-unr7-c3dq

vulnerability	VCID-zcq8-8axd-q3eg

vulnerability	VCID-zs6r-e6qt-bfbu

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/mercurial@3.7.3

aliases CVE-2016-3069, GHSA-8fm8-7365-5rh2, PYSEC-2016-27

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-16q8-up17-hkd7

url VCID-1w83-uq69-skeb

vulnerability_id VCID-1w83-uq69-skeb

summary The mpatch_apply function in mpatch.c in Mercurial before 4.6.1 incorrectly proceeds in cases where the fragment start is past the end of the original data, aka OVE-20180430-0004.

references

reference_url	https://access.redhat.com/errata/RHSA-2019:2276
reference_id
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2019:2276

reference_url	https://github.com/pypa/advisory-database/tree/main/vulns/mercurial/PYSEC-2018-88.yaml
reference_id
reference_type
scores
url	https://github.com/pypa/advisory-database/tree/main/vulns/mercurial/PYSEC-2018-88.yaml

reference_url	https://lists.debian.org/debian-lts-announce/2020/07/msg00032.html
reference_id
reference_type
scores
url	https://lists.debian.org/debian-lts-announce/2020/07/msg00032.html

reference_url	https://www.mercurial-scm.org/repo/hg/rev/faa924469635
reference_id
reference_type
scores
url	https://www.mercurial-scm.org/repo/hg/rev/faa924469635

reference_url	https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.6.1_.282018-06-06.29
reference_id
reference_type
scores
url	https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.6.1_.282018-06-06.29

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2018-13346
reference_id	CVE-2018-13346
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2018-13346

reference_url	https://github.com/advisories/GHSA-9xv4-r2hf-26gh
reference_id	GHSA-9xv4-r2hf-26gh
reference_type
scores
url	https://github.com/advisories/GHSA-9xv4-r2hf-26gh

fixed_packages

url pkg:pypi/mercurial@4.6.1

purl pkg:pypi/mercurial@4.6.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-b7rg-cd13-aygs

vulnerability	VCID-tsye-4m91-6ba1

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/mercurial@4.6.1

aliases CVE-2018-13346, GHSA-9xv4-r2hf-26gh, PYSEC-2018-88

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1w83-uq69-skeb

url VCID-2996-7bgv-eqdv

vulnerability_id VCID-2996-7bgv-eqdv

summary The _validaterepo function in sshpeer in Mercurial before 3.2.4 allows remote attackers to execute arbitrary commands via a crafted repository name in a clone command.

references

reference_url	http://chargen.matasano.com/chargen/2015/3/17/this-new-vulnerability-mercurial-command-injection-cve-2014-9462.html
reference_id
reference_type
scores
url	http://chargen.matasano.com/chargen/2015/3/17/this-new-vulnerability-mercurial-command-injection-cve-2014-9462.html

reference_url	http://lists.opensuse.org/opensuse-updates/2015-03/msg00085.html
reference_id
reference_type
scores
url	http://lists.opensuse.org/opensuse-updates/2015-03/msg00085.html

reference_url	http://mercurial.selenic.com/wiki/WhatsNew
reference_id
reference_type
scores
url	http://mercurial.selenic.com/wiki/WhatsNew

reference_url	https://github.com/pypa/advisory-database/tree/main/vulns/mercurial/PYSEC-2015-14.yaml
reference_id
reference_type
scores
url	https://github.com/pypa/advisory-database/tree/main/vulns/mercurial/PYSEC-2015-14.yaml

reference_url	https://security.gentoo.org/glsa/201612-19
reference_id
reference_type
scores
url	https://security.gentoo.org/glsa/201612-19

reference_url	http://www.debian.org/security/2015/dsa-3257
reference_id
reference_type
scores
url	http://www.debian.org/security/2015/dsa-3257

reference_url	http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.html
reference_id
reference_type
scores
url	http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.html

reference_url	http://www.osvdb.org/119816
reference_id
reference_type
scores
url	http://www.osvdb.org/119816

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2014-9462
reference_id	CVE-2014-9462
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2014-9462

reference_url	https://github.com/advisories/GHSA-3pmw-h7j4-rf54
reference_id	GHSA-3pmw-h7j4-rf54
reference_type
scores
url	https://github.com/advisories/GHSA-3pmw-h7j4-rf54

fixed_packages

url pkg:pypi/mercurial@3.2.4

purl pkg:pypi/mercurial@3.2.4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-16q8-up17-hkd7

vulnerability	VCID-1w83-uq69-skeb

vulnerability	VCID-71pc-96mg-ufbt

vulnerability	VCID-b7rg-cd13-aygs

vulnerability	VCID-dybb-af3z-zbce

vulnerability	VCID-ex2f-cn1w-y7h5

vulnerability	VCID-h8ah-p1pj-3bc3

vulnerability	VCID-knzd-ju2a-hbe5

vulnerability	VCID-n9rd-9dpp-t3cc

vulnerability	VCID-q5zm-xfyx-u7bn

vulnerability	VCID-tsye-4m91-6ba1

vulnerability	VCID-utkv-unr7-c3dq

vulnerability	VCID-zcq8-8axd-q3eg

vulnerability	VCID-zs6r-e6qt-bfbu

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/mercurial@3.2.4

aliases CVE-2014-9462, GHSA-3pmw-h7j4-rf54, PYSEC-2015-14

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-2996-7bgv-eqdv

url VCID-6an9-ych8-zqcy

vulnerability_id VCID-6an9-ych8-zqcy

summary Git before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 on Windows and OS X; Mercurial before 3.2.3 on Windows and OS X; Apple Xcode before 6.2 beta 3; mine all versions before 08-12-2014; libgit2 all versions up to 0.21.2; Egit all versions before 08-12-2014; and JGit all versions before 08-12-2014 allow remote Git servers to execute arbitrary commands via a tree containing a crafted .git/config file with (1) an ignorable Unicode codepoint, (2) a git~1/config representation, or (3) mixed case that is improperly handled on a case-insensitive filesystem.

references

reference_url	http://article.gmane.org/gmane.linux.kernel/1853266
reference_id
reference_type
scores
url	http://article.gmane.org/gmane.linux.kernel/1853266

reference_url	http://git-blame.blogspot.com/2014/12/git-1856-195-205-214-and-221-and.html
reference_id
reference_type
scores
url	http://git-blame.blogspot.com/2014/12/git-1856-195-205-214-and-221-and.html

reference_url	http://mercurial.selenic.com/wiki/WhatsNew
reference_id
reference_type
scores
url	http://mercurial.selenic.com/wiki/WhatsNew

reference_url	http://securitytracker.com/id?1031404
reference_id
reference_type
scores
url	http://securitytracker.com/id?1031404

reference_url	https://github.com/blog/1938-git-client-vulnerability-announced
reference_id
reference_type
scores
url	https://github.com/blog/1938-git-client-vulnerability-announced

reference_url	https://github.com/blog/1938-vulnerability-announced-update-your-git-clients
reference_id
reference_type
scores
url	https://github.com/blog/1938-vulnerability-announced-update-your-git-clients

reference_url	https://github.com/libgit2/libgit2/commit/928429c5c96a701bcbcafacb2421a82602b36915
reference_id
reference_type
scores
url	https://github.com/libgit2/libgit2/commit/928429c5c96a701bcbcafacb2421a82602b36915

reference_url	https://github.com/libgit2/libgit2/releases/tag/v0.21.3
reference_id
reference_type
scores
url	https://github.com/libgit2/libgit2/releases/tag/v0.21.3

reference_url	https://github.com/pypa/advisory-database/tree/main/vulns/mercurial/PYSEC-2020-217.yaml
reference_id
reference_type
scores
url	https://github.com/pypa/advisory-database/tree/main/vulns/mercurial/PYSEC-2020-217.yaml

reference_url	https://libgit2.org/security
reference_id
reference_type
scores
url	https://libgit2.org/security

reference_url	https://libgit2.org/security/
reference_id
reference_type
scores
url	https://libgit2.org/security/

reference_url	https://news.ycombinator.com/item?id=8769667
reference_id
reference_type
scores
url	https://news.ycombinator.com/item?id=8769667

reference_url	https://projects.eclipse.org/projects/technology.jgit/releases/3.5.3
reference_id
reference_type
scores
url	https://projects.eclipse.org/projects/technology.jgit/releases/3.5.3

reference_url	http://support.apple.com/kb/HT204147
reference_id
reference_type
scores
url	http://support.apple.com/kb/HT204147

reference_url	https://web.archive.org/web/20211204220400/https://securitytracker.com/id?1031404
reference_id
reference_type
scores
url	https://web.archive.org/web/20211204220400/https://securitytracker.com/id?1031404

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2014-9390
reference_id	CVE-2014-9390
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2014-9390

reference_url	https://github.com/advisories/GHSA-6vvc-c2m3-cjf3
reference_id	GHSA-6vvc-c2m3-cjf3
reference_type
scores
url	https://github.com/advisories/GHSA-6vvc-c2m3-cjf3

fixed_packages

url pkg:pypi/mercurial@3.2.3

purl pkg:pypi/mercurial@3.2.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-16q8-up17-hkd7

vulnerability	VCID-1w83-uq69-skeb

vulnerability	VCID-2996-7bgv-eqdv

vulnerability	VCID-71pc-96mg-ufbt

vulnerability	VCID-b7rg-cd13-aygs

vulnerability	VCID-dybb-af3z-zbce

vulnerability	VCID-ex2f-cn1w-y7h5

vulnerability	VCID-h8ah-p1pj-3bc3

vulnerability	VCID-knzd-ju2a-hbe5

vulnerability	VCID-n9rd-9dpp-t3cc

vulnerability	VCID-q5zm-xfyx-u7bn

vulnerability	VCID-tsye-4m91-6ba1

vulnerability	VCID-utkv-unr7-c3dq

vulnerability	VCID-zcq8-8axd-q3eg

vulnerability	VCID-zs6r-e6qt-bfbu

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/mercurial@3.2.3

aliases CVE-2014-9390, GHSA-6vvc-c2m3-cjf3, PYSEC-2020-217

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-6an9-ych8-zqcy

url VCID-71pc-96mg-ufbt

vulnerability_id VCID-71pc-96mg-ufbt

summary multiple issues

references

reference_url	https://access.redhat.com/errata/RHSA-2017:2489
reference_id
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2017:2489

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000115
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000115

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000116
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000116

reference_url	https://github.com/pypa/advisory-database/tree/main/vulns/mercurial/PYSEC-2017-88.yaml
reference_id
reference_type
scores
url	https://github.com/pypa/advisory-database/tree/main/vulns/mercurial/PYSEC-2017-88.yaml

reference_url	https://security.gentoo.org/glsa/201709-18
reference_id
reference_type
scores
url	https://security.gentoo.org/glsa/201709-18

reference_url	https://web.archive.org/web/20200227155758/http://www.securityfocus.com/bid/100290
reference_id
reference_type
scores
url	https://web.archive.org/web/20200227155758/http://www.securityfocus.com/bid/100290

reference_url	https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.3_.2F_4.3.1_.282017-08-10.29
reference_id
reference_type
scores
url	https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.3_.2F_4.3.1_.282017-08-10.29

reference_url	http://www.debian.org/security/2017/dsa-3963
reference_id
reference_type
scores
url	http://www.debian.org/security/2017/dsa-3963

reference_url	http://www.securityfocus.com/bid/100290
reference_id
reference_type
scores
url	http://www.securityfocus.com/bid/100290

reference_url	https://security.archlinux.org/ASA-201708-7
reference_id	ASA-201708-7
reference_type
scores
url	https://security.archlinux.org/ASA-201708-7

reference_url

https://security.archlinux.org/AVG-378

reference_id

AVG-378

reference_type

scores

value	Critical
scoring_system	archlinux
scoring_elements

url

https://security.archlinux.org/AVG-378

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2017-1000115
reference_id	CVE-2017-1000115
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2017-1000115

reference_url	https://github.com/advisories/GHSA-hvr9-wr9p-grgr
reference_id	GHSA-hvr9-wr9p-grgr
reference_type
scores
url	https://github.com/advisories/GHSA-hvr9-wr9p-grgr

fixed_packages

url pkg:pypi/mercurial@4.3

purl pkg:pypi/mercurial@4.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1w83-uq69-skeb

vulnerability	VCID-b7rg-cd13-aygs

vulnerability	VCID-ex2f-cn1w-y7h5

vulnerability	VCID-h8ah-p1pj-3bc3

vulnerability	VCID-q5zm-xfyx-u7bn

vulnerability	VCID-tsye-4m91-6ba1

vulnerability	VCID-zs6r-e6qt-bfbu

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/mercurial@4.3

url pkg:pypi/mercurial@4.3.1

purl pkg:pypi/mercurial@4.3.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1w83-uq69-skeb

vulnerability	VCID-b7rg-cd13-aygs

vulnerability	VCID-ex2f-cn1w-y7h5

vulnerability	VCID-h8ah-p1pj-3bc3

vulnerability	VCID-q5zm-xfyx-u7bn

vulnerability	VCID-tsye-4m91-6ba1

vulnerability	VCID-zs6r-e6qt-bfbu

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/mercurial@4.3.1

aliases CVE-2017-1000115, GHSA-hvr9-wr9p-grgr, PYSEC-2017-88

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-71pc-96mg-ufbt

url VCID-b7rg-cd13-aygs

vulnerability_id VCID-b7rg-cd13-aygs

summary cext/manifest.c in Mercurial before 4.7.2 has an out-of-bounds read during parsing of a malformed manifest entry.

references

reference_url	https://github.com/pypa/advisory-database/tree/main/vulns/mercurial/PYSEC-2018-91.yaml
reference_id
reference_type
scores
url	https://github.com/pypa/advisory-database/tree/main/vulns/mercurial/PYSEC-2018-91.yaml

reference_url	https://www.mercurial-scm.org/repo/hg/rev/5405cb1a7901
reference_id
reference_type
scores
url	https://www.mercurial-scm.org/repo/hg/rev/5405cb1a7901

reference_url	https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.7.2_.282018-10-01.29
reference_id
reference_type
scores
url	https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.7.2_.282018-10-01.29

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2018-17983
reference_id	CVE-2018-17983
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2018-17983

reference_url	https://github.com/advisories/GHSA-p575-cf9h-wv42
reference_id	GHSA-p575-cf9h-wv42
reference_type
scores
url	https://github.com/advisories/GHSA-p575-cf9h-wv42

fixed_packages

url pkg:pypi/mercurial@4.7.2

purl pkg:pypi/mercurial@4.7.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-tsye-4m91-6ba1

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/mercurial@4.7.2

aliases CVE-2018-17983, GHSA-p575-cf9h-wv42, PYSEC-2018-91

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-b7rg-cd13-aygs

url VCID-dybb-af3z-zbce

vulnerability_id VCID-dybb-af3z-zbce

summary Mercurial before 3.7.3 allows remote attackers to execute arbitrary code via a crafted git ext:: URL when cloning a subrepository.

references

reference_url	http://lists.fedoraproject.org/pipermail/package-announce/2016-April/181505.html
reference_id
reference_type
scores
url	http://lists.fedoraproject.org/pipermail/package-announce/2016-April/181505.html

reference_url	http://lists.fedoraproject.org/pipermail/package-announce/2016-April/181542.html
reference_id
reference_type
scores
url	http://lists.fedoraproject.org/pipermail/package-announce/2016-April/181542.html

reference_url	http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00016.html
reference_id
reference_type
scores
url	http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00016.html

reference_url	http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00017.html
reference_id
reference_type
scores
url	http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00017.html

reference_url	http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00018.html
reference_id
reference_type
scores
url	http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00018.html

reference_url	http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00043.html
reference_id
reference_type
scores
url	http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00043.html

reference_url	http://rhn.redhat.com/errata/RHSA-2016-0706.html
reference_id
reference_type
scores
url	http://rhn.redhat.com/errata/RHSA-2016-0706.html

reference_url	https://github.com/pypa/advisory-database/tree/main/vulns/mercurial/PYSEC-2016-26.yaml
reference_id
reference_type
scores
url	https://github.com/pypa/advisory-database/tree/main/vulns/mercurial/PYSEC-2016-26.yaml

reference_url	https://security.gentoo.org/glsa/201612-19
reference_id
reference_type
scores
url	https://security.gentoo.org/glsa/201612-19

reference_url	https://selenic.com/repo/hg-stable/rev/34d43cb85de8
reference_id
reference_type
scores
url	https://selenic.com/repo/hg-stable/rev/34d43cb85de8

reference_url	https://web.archive.org/web/20200228003737/http://www.securityfocus.com/bid/85733
reference_id
reference_type
scores
url	https://web.archive.org/web/20200228003737/http://www.securityfocus.com/bid/85733

reference_url	https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_3.7.3_.282016-3-29.29
reference_id
reference_type
scores
url	https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_3.7.3_.282016-3-29.29

reference_url	http://www.debian.org/security/2016/dsa-3542
reference_id
reference_type
scores
url	http://www.debian.org/security/2016/dsa-3542

reference_url	http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
reference_id
reference_type
scores
url	http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html

reference_url	http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html
reference_id
reference_type
scores
url	http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html

reference_url	http://www.securityfocus.com/bid/85733
reference_id
reference_type
scores
url	http://www.securityfocus.com/bid/85733

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2016-3068
reference_id	CVE-2016-3068
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2016-3068

reference_url	https://github.com/advisories/GHSA-j7c2-rqm3-c97m
reference_id	GHSA-j7c2-rqm3-c97m
reference_type
scores
url	https://github.com/advisories/GHSA-j7c2-rqm3-c97m

fixed_packages

url pkg:pypi/mercurial@3.7.3

purl pkg:pypi/mercurial@3.7.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1w83-uq69-skeb

vulnerability	VCID-71pc-96mg-ufbt

vulnerability	VCID-b7rg-cd13-aygs

vulnerability	VCID-ex2f-cn1w-y7h5

vulnerability	VCID-h8ah-p1pj-3bc3

vulnerability	VCID-knzd-ju2a-hbe5

vulnerability	VCID-q5zm-xfyx-u7bn

vulnerability	VCID-tsye-4m91-6ba1

vulnerability	VCID-utkv-unr7-c3dq

vulnerability	VCID-zcq8-8axd-q3eg

vulnerability	VCID-zs6r-e6qt-bfbu

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/mercurial@3.7.3

aliases CVE-2016-3068, GHSA-j7c2-rqm3-c97m, PYSEC-2016-26

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-dybb-af3z-zbce

url VCID-ex2f-cn1w-y7h5

vulnerability_id VCID-ex2f-cn1w-y7h5

summary mpatch.c in Mercurial before 4.6.1 mishandles integer addition and subtraction, aka OVE-20180430-0002.

references

reference_url	https://access.redhat.com/errata/RHSA-2019:2276
reference_id
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2019:2276

reference_url	https://github.com/pypa/advisory-database/tree/main/vulns/mercurial/PYSEC-2018-89.yaml
reference_id
reference_type
scores
url	https://github.com/pypa/advisory-database/tree/main/vulns/mercurial/PYSEC-2018-89.yaml

reference_url	https://lists.debian.org/debian-lts-announce/2020/07/msg00032.html
reference_id
reference_type
scores
url	https://lists.debian.org/debian-lts-announce/2020/07/msg00032.html

reference_url	https://www.mercurial-scm.org/repo/hg-committed/log?rev=modifies%28%22mercurial%2Fmpatch.c%22%29+and+4.5%3A%3A
reference_id
reference_type
scores
url	https://www.mercurial-scm.org/repo/hg-committed/log?rev=modifies%28%22mercurial%2Fmpatch.c%22%29+and+4.5%3A%3A

reference_url	https://www.mercurial-scm.org/repo/hg/rev/1acfc35d478c
reference_id
reference_type
scores
url	https://www.mercurial-scm.org/repo/hg/rev/1acfc35d478c

reference_url	https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.6.1_.282018-06-06.29
reference_id
reference_type
scores
url	https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.6.1_.282018-06-06.29

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2018-13347
reference_id	CVE-2018-13347
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2018-13347

reference_url	https://github.com/advisories/GHSA-3mjj-mr4f-qxmx
reference_id	GHSA-3mjj-mr4f-qxmx
reference_type
scores
url	https://github.com/advisories/GHSA-3mjj-mr4f-qxmx

fixed_packages

url pkg:pypi/mercurial@4.6.1

purl pkg:pypi/mercurial@4.6.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-b7rg-cd13-aygs

vulnerability	VCID-tsye-4m91-6ba1

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/mercurial@4.6.1

aliases CVE-2018-13347, GHSA-3mjj-mr4f-qxmx, PYSEC-2018-89

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ex2f-cn1w-y7h5

url VCID-h8ah-p1pj-3bc3

vulnerability_id VCID-h8ah-p1pj-3bc3

summary The mpatch_decode function in mpatch.c in Mercurial before 4.6.1 mishandles certain situations where there should be at least 12 bytes remaining after the current position in the patch data, but actually are not, aka OVE-20180430-0001.

references

reference_url	https://github.com/pypa/advisory-database/tree/main/vulns/mercurial/PYSEC-2018-90.yaml
reference_id
reference_type
scores
url	https://github.com/pypa/advisory-database/tree/main/vulns/mercurial/PYSEC-2018-90.yaml

reference_url	https://lists.debian.org/debian-lts-announce/2020/07/msg00032.html
reference_id
reference_type
scores
url	https://lists.debian.org/debian-lts-announce/2020/07/msg00032.html

reference_url	https://www.mercurial-scm.org/repo/hg/rev/90a274965de7
reference_id
reference_type
scores
url	https://www.mercurial-scm.org/repo/hg/rev/90a274965de7

reference_url	https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.6.1_.282018-06-06.29
reference_id
reference_type
scores
url	https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.6.1_.282018-06-06.29

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2018-13348
reference_id	CVE-2018-13348
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2018-13348

reference_url	https://github.com/advisories/GHSA-3v62-ww8w-758m
reference_id	GHSA-3v62-ww8w-758m
reference_type
scores
url	https://github.com/advisories/GHSA-3v62-ww8w-758m

fixed_packages

url pkg:pypi/mercurial@4.6.1

purl pkg:pypi/mercurial@4.6.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-b7rg-cd13-aygs

vulnerability	VCID-tsye-4m91-6ba1

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/mercurial@4.6.1

aliases CVE-2018-13348, GHSA-3v62-ww8w-758m, PYSEC-2018-90

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-h8ah-p1pj-3bc3

url VCID-knzd-ju2a-hbe5

vulnerability_id VCID-knzd-ju2a-hbe5

summary The convert extension in Mercurial before 3.8 might allow context-dependent attackers to execute arbitrary code via a crafted git repository name.

references

reference_url	http://lists.opensuse.org/opensuse-updates/2016-05/msg00082.html
reference_id
reference_type
scores
url	http://lists.opensuse.org/opensuse-updates/2016-05/msg00082.html

reference_url	https://security.gentoo.org/glsa/201612-19
reference_id
reference_type
scores
url	https://security.gentoo.org/glsa/201612-19

reference_url	https://selenic.com/hg/rev/a56296f55a5e
reference_id
reference_type
scores
url	https://selenic.com/hg/rev/a56296f55a5e

reference_url	https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_3.8_.2F_3.8.1_.282016-5-1.29
reference_id
reference_type
scores
url	https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_3.8_.2F_3.8.1_.282016-5-1.29

reference_url	http://www.debian.org/security/2016/dsa-3570
reference_id
reference_type
scores
url	http://www.debian.org/security/2016/dsa-3570

reference_url	http://www.securityfocus.com/bid/90536
reference_id
reference_type
scores
url	http://www.securityfocus.com/bid/90536

reference_url	http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.533255
reference_id
reference_type
scores
url	http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.533255

fixed_packages

url pkg:pypi/mercurial@3.8rc0

purl pkg:pypi/mercurial@3.8rc0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1w83-uq69-skeb

vulnerability	VCID-71pc-96mg-ufbt

vulnerability	VCID-b7rg-cd13-aygs

vulnerability	VCID-ex2f-cn1w-y7h5

vulnerability	VCID-h8ah-p1pj-3bc3

vulnerability	VCID-q5zm-xfyx-u7bn

vulnerability	VCID-tsye-4m91-6ba1

vulnerability	VCID-utkv-unr7-c3dq

vulnerability	VCID-zcq8-8axd-q3eg

vulnerability	VCID-zs6r-e6qt-bfbu

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/mercurial@3.8rc0

aliases CVE-2016-3105, PYSEC-2016-28

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-knzd-ju2a-hbe5

url VCID-n9rd-9dpp-t3cc

vulnerability_id VCID-n9rd-9dpp-t3cc

summary The binary delta decoder in Mercurial before 3.7.3 allows remote attackers to execute arbitrary code via a (1) clone, (2) push, or (3) pull command, related to (a) a list sizing rounding error and (b) short records.

references

reference_url	http://lists.fedoraproject.org/pipermail/package-announce/2016-April/181505.html
reference_id
reference_type
scores
url	http://lists.fedoraproject.org/pipermail/package-announce/2016-April/181505.html

reference_url	http://lists.fedoraproject.org/pipermail/package-announce/2016-April/181542.html
reference_id
reference_type
scores
url	http://lists.fedoraproject.org/pipermail/package-announce/2016-April/181542.html

reference_url	http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00016.html
reference_id
reference_type
scores
url	http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00016.html

reference_url	http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00017.html
reference_id
reference_type
scores
url	http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00017.html

reference_url	http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00018.html
reference_id
reference_type
scores
url	http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00018.html

reference_url	http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00043.html
reference_id
reference_type
scores
url	http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00043.html

reference_url	https://github.com/pypa/advisory-database/tree/main/vulns/mercurial/PYSEC-2016-29.yaml
reference_id
reference_type
scores
url	https://github.com/pypa/advisory-database/tree/main/vulns/mercurial/PYSEC-2016-29.yaml

reference_url	https://security.gentoo.org/glsa/201612-19
reference_id
reference_type
scores
url	https://security.gentoo.org/glsa/201612-19

reference_url	https://selenic.com/repo/hg-stable/rev/b6ed2505d6cf
reference_id
reference_type
scores
url	https://selenic.com/repo/hg-stable/rev/b6ed2505d6cf

reference_url	https://selenic.com/repo/hg-stable/rev/b9714d958e89
reference_id
reference_type
scores
url	https://selenic.com/repo/hg-stable/rev/b9714d958e89

reference_url	https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_3.7.3_.282016-3-29.29
reference_id
reference_type
scores
url	https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_3.7.3_.282016-3-29.29

reference_url	http://www.debian.org/security/2016/dsa-3542
reference_id
reference_type
scores
url	http://www.debian.org/security/2016/dsa-3542

reference_url	http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
reference_id
reference_type
scores
url	http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2016-3630
reference_id	CVE-2016-3630
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2016-3630

reference_url	https://github.com/advisories/GHSA-9vjf-jjcq-3gh7
reference_id	GHSA-9vjf-jjcq-3gh7
reference_type
scores
url	https://github.com/advisories/GHSA-9vjf-jjcq-3gh7

fixed_packages

url pkg:pypi/mercurial@3.7.3

purl pkg:pypi/mercurial@3.7.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1w83-uq69-skeb

vulnerability	VCID-71pc-96mg-ufbt

vulnerability	VCID-b7rg-cd13-aygs

vulnerability	VCID-ex2f-cn1w-y7h5

vulnerability	VCID-h8ah-p1pj-3bc3

vulnerability	VCID-knzd-ju2a-hbe5

vulnerability	VCID-q5zm-xfyx-u7bn

vulnerability	VCID-tsye-4m91-6ba1

vulnerability	VCID-utkv-unr7-c3dq

vulnerability	VCID-zcq8-8axd-q3eg

vulnerability	VCID-zs6r-e6qt-bfbu

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/mercurial@3.7.3

aliases CVE-2016-3630, GHSA-9vjf-jjcq-3gh7, PYSEC-2016-29

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-n9rd-9dpp-t3cc

url VCID-q5zm-xfyx-u7bn

vulnerability_id VCID-q5zm-xfyx-u7bn

summary In Mercurial before 4.4.1, it is possible that a specially malformed repository can cause Git subrepositories to run arbitrary code in the form of a .git/hooks/post-update script checked into the repository. Typical use of Mercurial prevents construction of such repositories, but they can be created programmatically.

references

reference_url	https://bz.mercurial-scm.org/show_bug.cgi?id=5730
reference_id
reference_type
scores
url	https://bz.mercurial-scm.org/show_bug.cgi?id=5730

reference_url	https://confluence.atlassian.com/sourcetreekb/sourcetree-security-advisory-2018-01-24-942834324.html
reference_id
reference_type
scores
url	https://confluence.atlassian.com/sourcetreekb/sourcetree-security-advisory-2018-01-24-942834324.html

reference_url	https://github.com/dscho/hg
reference_id
reference_type
scores
url	https://github.com/dscho/hg

reference_url	https://github.com/pypa/advisory-database/tree/main/vulns/mercurial/PYSEC-2017-90.yaml
reference_id
reference_type
scores
url	https://github.com/pypa/advisory-database/tree/main/vulns/mercurial/PYSEC-2017-90.yaml

reference_url	https://lists.debian.org/debian-lts-announce/2017/12/msg00027.html
reference_id
reference_type
scores
url	https://lists.debian.org/debian-lts-announce/2017/12/msg00027.html

reference_url	https://lists.debian.org/debian-lts-announce/2018/07/msg00005.html
reference_id
reference_type
scores
url	https://lists.debian.org/debian-lts-announce/2018/07/msg00005.html

reference_url	https://lists.debian.org/debian-lts-announce/2018/07/msg00041.html
reference_id
reference_type
scores
url	https://lists.debian.org/debian-lts-announce/2018/07/msg00041.html

reference_url	https://lists.debian.org/debian-lts-announce/2020/07/msg00032.html
reference_id
reference_type
scores
url	https://lists.debian.org/debian-lts-announce/2020/07/msg00032.html

reference_url	https://web.archive.org/web/20200227132808/http://www.securityfocus.com/bid/102926
reference_id
reference_type
scores
url	https://web.archive.org/web/20200227132808/http://www.securityfocus.com/bid/102926

reference_url	https://www.mercurial-scm.org/pipermail/mercurial-devel/2017-November/107333.html
reference_id
reference_type
scores
url	https://www.mercurial-scm.org/pipermail/mercurial-devel/2017-November/107333.html

reference_url	https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.4.1_.282017-11-07.29
reference_id
reference_type
scores
url	https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.4.1_.282017-11-07.29

reference_url	http://www.securityfocus.com/bid/102926
reference_id
reference_type
scores
url	http://www.securityfocus.com/bid/102926

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2017-17458
reference_id	CVE-2017-17458
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2017-17458

reference_url	https://github.com/advisories/GHSA-6v56-cpg6-3rpx
reference_id	GHSA-6v56-cpg6-3rpx
reference_type
scores
url	https://github.com/advisories/GHSA-6v56-cpg6-3rpx

fixed_packages

url pkg:pypi/mercurial@4.4.1

purl pkg:pypi/mercurial@4.4.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1w83-uq69-skeb

vulnerability	VCID-b7rg-cd13-aygs

vulnerability	VCID-ex2f-cn1w-y7h5

vulnerability	VCID-h8ah-p1pj-3bc3

vulnerability	VCID-tsye-4m91-6ba1

vulnerability	VCID-zs6r-e6qt-bfbu

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/mercurial@4.4.1

aliases CVE-2017-17458, GHSA-6v56-cpg6-3rpx, PYSEC-2017-90

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-q5zm-xfyx-u7bn

url VCID-tsye-4m91-6ba1

vulnerability_id VCID-tsye-4m91-6ba1

summary A flaw was found in Mercurial before 4.9. It was possible to use symlinks and subrepositories to defeat Mercurial's path-checking logic and write files outside a repository.

references

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3902
reference_id
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3902

reference_url	https://github.com/pypa/advisory-database/tree/main/vulns/mercurial/PYSEC-2019-188.yaml
reference_id
reference_type
scores
url	https://github.com/pypa/advisory-database/tree/main/vulns/mercurial/PYSEC-2019-188.yaml

reference_url	https://lists.debian.org/debian-lts-announce/2019/04/msg00024.html
reference_id
reference_type
scores
url	https://lists.debian.org/debian-lts-announce/2019/04/msg00024.html

reference_url	https://lists.debian.org/debian-lts-announce/2020/07/msg00032.html
reference_id
reference_type
scores
url	https://lists.debian.org/debian-lts-announce/2020/07/msg00032.html

reference_url	https://usn.ubuntu.com/4086-1
reference_id
reference_type
scores
url	https://usn.ubuntu.com/4086-1

reference_url	https://usn.ubuntu.com/4086-1/
reference_id
reference_type
scores
url	https://usn.ubuntu.com/4086-1/

reference_url	https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.9_.282019-02-01.29
reference_id
reference_type
scores
url	https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.9_.282019-02-01.29

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2019-3902
reference_id	CVE-2019-3902
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2019-3902

reference_url	https://github.com/advisories/GHSA-mq66-vcfc-8246
reference_id	GHSA-mq66-vcfc-8246
reference_type
scores
url	https://github.com/advisories/GHSA-mq66-vcfc-8246

fixed_packages

url	pkg:pypi/mercurial@4.9
purl	pkg:pypi/mercurial@4.9
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:pypi/mercurial@4.9

aliases CVE-2019-3902, GHSA-mq66-vcfc-8246, PYSEC-2019-188

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-tsye-4m91-6ba1

url VCID-utkv-unr7-c3dq

vulnerability_id VCID-utkv-unr7-c3dq

summary multiple issues

references

reference_url	https://access.redhat.com/errata/RHSA-2017:2489
reference_id
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2017:2489

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000115
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000115

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000116
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000116

reference_url	https://github.com/pypa/advisory-database/tree/main/vulns/mercurial/PYSEC-2017-89.yaml
reference_id
reference_type
scores
url	https://github.com/pypa/advisory-database/tree/main/vulns/mercurial/PYSEC-2017-89.yaml

reference_url	https://security.gentoo.org/glsa/201709-18
reference_id
reference_type
scores
url	https://security.gentoo.org/glsa/201709-18

reference_url	https://web.archive.org/web/20200227155758/http://www.securityfocus.com/bid/100290
reference_id
reference_type
scores
url	https://web.archive.org/web/20200227155758/http://www.securityfocus.com/bid/100290

reference_url	https://wiki.mercurial-scm.org/WhatsNew/Archive
reference_id
reference_type
scores
url	https://wiki.mercurial-scm.org/WhatsNew/Archive

reference_url	https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.3_.2F_4.3.1_.282017-08-10.29
reference_id
reference_type
scores
url	https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.3_.2F_4.3.1_.282017-08-10.29

reference_url	http://www.debian.org/security/2017/dsa-3963
reference_id
reference_type
scores
url	http://www.debian.org/security/2017/dsa-3963

reference_url	http://www.securityfocus.com/bid/100290
reference_id
reference_type
scores
url	http://www.securityfocus.com/bid/100290

reference_url	https://security.archlinux.org/ASA-201708-7
reference_id	ASA-201708-7
reference_type
scores
url	https://security.archlinux.org/ASA-201708-7

reference_url

https://security.archlinux.org/AVG-378

reference_id

AVG-378

reference_type

scores

value	Critical
scoring_system	archlinux
scoring_elements

url

https://security.archlinux.org/AVG-378

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2017-1000116
reference_id	CVE-2017-1000116
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2017-1000116

reference_url	https://github.com/advisories/GHSA-3qmg-c9vc-r47j
reference_id	GHSA-3qmg-c9vc-r47j
reference_type
scores
url	https://github.com/advisories/GHSA-3qmg-c9vc-r47j

fixed_packages

url pkg:pypi/mercurial@4.3

purl pkg:pypi/mercurial@4.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1w83-uq69-skeb

vulnerability	VCID-b7rg-cd13-aygs

vulnerability	VCID-ex2f-cn1w-y7h5

vulnerability	VCID-h8ah-p1pj-3bc3

vulnerability	VCID-q5zm-xfyx-u7bn

vulnerability	VCID-tsye-4m91-6ba1

vulnerability	VCID-zs6r-e6qt-bfbu

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/mercurial@4.3

aliases CVE-2017-1000116, GHSA-3qmg-c9vc-r47j, PYSEC-2017-89

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-utkv-unr7-c3dq

url VCID-zcq8-8axd-q3eg

vulnerability_id VCID-zcq8-8axd-q3eg

summary In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and consequently execute arbitrary code, by using --debugger as a repository name.

references

reference_url	https://access.redhat.com/errata/RHSA-2017:1576
reference_id
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2017:1576

reference_url	https://bugs.debian.org/861243
reference_id
reference_type
scores
url	https://bugs.debian.org/861243

reference_url	https://github.com/advisories/GHSA-ghjx-3jg5-h6r2
reference_id
reference_type
scores
url	https://github.com/advisories/GHSA-ghjx-3jg5-h6r2

reference_url	https://github.com/pypa/advisory-database/tree/main/vulns/mercurial/PYSEC-2017-91.yaml
reference_id
reference_type
scores
url	https://github.com/pypa/advisory-database/tree/main/vulns/mercurial/PYSEC-2017-91.yaml

reference_url	https://lists.debian.org/debian-lts-announce/2018/07/msg00005.html
reference_id
reference_type
scores
url	https://lists.debian.org/debian-lts-announce/2018/07/msg00005.html

reference_url	https://security.gentoo.org/glsa/201709-18
reference_id
reference_type
scores
url	https://security.gentoo.org/glsa/201709-18

reference_url	https://web.archive.org/web/20200227162318/http://www.securityfocus.com/bid/99123
reference_id
reference_type
scores
url	https://web.archive.org/web/20200227162318/http://www.securityfocus.com/bid/99123

reference_url	https://www.mercurial-scm.org/repo/hg/rev/77eaf9539499
reference_id
reference_type
scores
url	https://www.mercurial-scm.org/repo/hg/rev/77eaf9539499

reference_url	https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.1.3_.282017-4-18.29
reference_id
reference_type
scores
url	https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.1.3_.282017-4-18.29

reference_url	http://www.debian.org/security/2017/dsa-3963
reference_id
reference_type
scores
url	http://www.debian.org/security/2017/dsa-3963

reference_url	http://www.securityfocus.com/bid/99123
reference_id
reference_type
scores
url	http://www.securityfocus.com/bid/99123

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2017-9462
reference_id	CVE-2017-9462
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2017-9462

fixed_packages

url pkg:pypi/mercurial@4.1.3

purl pkg:pypi/mercurial@4.1.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1w83-uq69-skeb

vulnerability	VCID-71pc-96mg-ufbt

vulnerability	VCID-b7rg-cd13-aygs

vulnerability	VCID-ex2f-cn1w-y7h5

vulnerability	VCID-h8ah-p1pj-3bc3

vulnerability	VCID-q5zm-xfyx-u7bn

vulnerability	VCID-tsye-4m91-6ba1

vulnerability	VCID-utkv-unr7-c3dq

vulnerability	VCID-zs6r-e6qt-bfbu

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/mercurial@4.1.3

aliases CVE-2017-9462, GHSA-ghjx-3jg5-h6r2, PYSEC-2017-91

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-zcq8-8axd-q3eg

url VCID-zs6r-e6qt-bfbu

vulnerability_id VCID-zs6r-e6qt-bfbu

summary Mercurial version 4.5 and earlier contains a Incorrect Access Control (CWE-285) vulnerability in Protocol server that can result in Unauthorized data access. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fixed in 4.5.1.

references

reference_url	https://access.redhat.com/errata/RHSA-2019:2276
reference_id
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2019:2276

reference_url	https://github.com/pypa/advisory-database/tree/main/vulns/mercurial/PYSEC-2018-87.yaml
reference_id
reference_type
scores
url	https://github.com/pypa/advisory-database/tree/main/vulns/mercurial/PYSEC-2018-87.yaml

reference_url	https://lists.debian.org/debian-lts-announce/2018/03/msg00034.html
reference_id
reference_type
scores
url	https://lists.debian.org/debian-lts-announce/2018/03/msg00034.html

reference_url	https://lists.debian.org/debian-lts-announce/2018/07/msg00005.html
reference_id
reference_type
scores
url	https://lists.debian.org/debian-lts-announce/2018/07/msg00005.html

reference_url	https://lists.debian.org/debian-lts-announce/2020/07/msg00032.html
reference_id
reference_type
scores
url	https://lists.debian.org/debian-lts-announce/2020/07/msg00032.html

reference_url	https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.5.1_.2F_4.5.2_.282018-03-06.29
reference_id
reference_type
scores
url	https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.5.1_.2F_4.5.2_.282018-03-06.29

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2018-1000132
reference_id	CVE-2018-1000132
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2018-1000132

reference_url	https://github.com/advisories/GHSA-4mr4-7vjv-9hm6
reference_id	GHSA-4mr4-7vjv-9hm6
reference_type
scores
url	https://github.com/advisories/GHSA-4mr4-7vjv-9hm6

fixed_packages

url pkg:pypi/mercurial@4.5.1

purl pkg:pypi/mercurial@4.5.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1w83-uq69-skeb

vulnerability	VCID-b7rg-cd13-aygs

vulnerability	VCID-ex2f-cn1w-y7h5

vulnerability	VCID-h8ah-p1pj-3bc3

vulnerability	VCID-tsye-4m91-6ba1

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/mercurial@4.5.1

aliases CVE-2018-1000132, GHSA-4mr4-7vjv-9hm6, PYSEC-2018-87

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-zs6r-e6qt-bfbu

Fixing_vulnerabilities

Risk_score null

Resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/mercurial@1.7.1

Package Instance