{"api_version":"1","generated_at":"2026-04-22T23:30:53+00:00","cve":"CVE-2018-13348","urls":{"html":"https://cve.report/CVE-2018-13348","api":"https://cve.report/api/cve/CVE-2018-13348.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2018-13348","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2018-13348"},"summary":{"title":"CVE-2018-13348","description":"The mpatch_decode function in mpatch.c in Mercurial before 4.6.1 mishandles certain situations where there should be at least 12 bytes remaining after the current position in the patch data, but actually are not, aka OVE-20180430-0001.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2018-07-06 00:29:00","updated_at":"2020-07-31 13:15:00"},"problem_types":["CWE-20"],"metrics":[],"references":[{"url":"https://lists.debian.org/debian-lts-announce/2020/07/msg00032.html","name":"[debian-lts-announce] 20200731 [SECURITY] [DLA 2293-1] mercurial security update","refsource":"MLIST","tags":[],"title":"[SECURITY] [DLA 2293-1] mercurial security update","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.mercurial-scm.org/repo/hg/rev/90a274965de7","name":"https://www.mercurial-scm.org/repo/hg/rev/90a274965de7","refsource":"MISC","tags":["Patch","Vendor Advisory"],"title":"Mercurial: 90a274965de7","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.6.1_.282018-06-06.29","name":"https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.6.1_.282018-06-06.29","refsource":"MISC","tags":["Vendor Advisory"],"title":"WhatsNew - Mercurial","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2018-13348","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-13348","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2018","cve_id":"13348","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mercurial","cpe5":"mercurial","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"13348","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mercurial","cpe5":"mercurial","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2018-13348","qid":"671408","title":"EulerOS Security Update for mercurial (EulerOS-SA-2022-1331)"},{"cve":"CVE-2018-13348","qid":"671648","title":"EulerOS Security Update for mercurial (EulerOS-SA-2022-1747)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2018-13348","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"The mpatch_decode function in mpatch.c in Mercurial before 4.6.1 mishandles certain situations where there should be at least 12 bytes remaining after the current position in the patch data, but actually are not, aka OVE-20180430-0001."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"name":"https://www.mercurial-scm.org/repo/hg/rev/90a274965de7","refsource":"MISC","url":"https://www.mercurial-scm.org/repo/hg/rev/90a274965de7"},{"name":"https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.6.1_.282018-06-06.29","refsource":"MISC","url":"https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.6.1_.282018-06-06.29"},{"refsource":"MLIST","name":"[debian-lts-announce] 20200731 [SECURITY] [DLA 2293-1] mercurial security update","url":"https://lists.debian.org/debian-lts-announce/2020/07/msg00032.html"}]}},"nvd":{"publishedDate":"2018-07-06 00:29:00","lastModifiedDate":"2020-07-31 13:15:00","problem_types":["CWE-20"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:N/I:P/A:N","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":5},"severity":"MEDIUM","exploitabilityScore":10,"impactScore":2.9,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:mercurial:mercurial:*:*:*:*:*:*:*:*","versionEndExcluding":"4.6.1","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2018","CveId":"13348","Ordinal":"129997","Title":"CVE-2018-13348","CVE":"CVE-2018-13348","Year":"2018"},"notes":[{"CveYear":"2018","CveId":"13348","Ordinal":"1","NoteData":"The mpatch_decode function in mpatch.c in Mercurial before 4.6.1 mishandles certain situations where there should be at least 12 bytes remaining after the current position in the patch data, but actually are not, aka OVE-20180430-0001.","Type":"Description","Title":null},{"CveYear":"2018","CveId":"13348","Ordinal":"2","NoteData":"2018-07-05","Type":"Other","Title":"Published"},{"CveYear":"2018","CveId":"13348","Ordinal":"3","NoteData":"2020-07-31","Type":"Other","Title":"Modified"}]}}}