The binary delta decoder in Mercurial before 3.7.3 allows remote attackers to execute arbitrary code via a (1) clone, (2) push, or (3) pull command, related to (a) a list sizing rounding error and (b) short records.
2016-04-13T16:59:20.850
2025-04-12T10:46:40.837
Deferred
CVSSv3.1: 8.8 (HIGH)
AV:N/AC:M/Au:N/C:P/I:P/A:P
8.6
6.4
| Type | Vendor | Product | Version/Range | Vulnerable? |
|---|---|---|---|---|
| Operating System | fedoraproject | fedora | 22 | Yes |
| Operating System | fedoraproject | fedora | 23 | Yes |
| Operating System | opensuse | leap | 42.1 | Yes |
| Application | mercurial | mercurial | ≤ 3.7.2 | Yes |
| Operating System | debian | debian_linux | 7.0 | Yes |
| Operating System | debian | debian_linux | 8.0 | Yes |
| Application | suse | linux_enterprise_debuginfo | 11 | Yes |
| Operating System | opensuse | opensuse | 13.2 | Yes |
| Operating System | suse | linux_enterprise_software_development_kit | 11 | Yes |
| Operating System | suse | linux_enterprise_software_development_kit | 12 | Yes |
| Operating System | suse | linux_enterprise_software_development_kit | 12 | Yes |