What is CVE-2016-3630?

CVE-2016-3630 is a high-severity vulnerability in Mercurial, classified under CWE-19. CVSS score: 8.8/10. Published 2016-04-13.

How severe is CVE-2016-3630?

High severity. CVSS v3 base score is 8.8 out of 10.

Vulnerability in Mercurial

CVE-2016-3630

The binary delta decoder in Mercurial before 3.7.3 allows remote attackers to execute arbitrary code via a (1) clone, (2) push, or (3) pull command, related to (a) a list sizing rounding error and (b) short records.

EPSS: 0.052 (90.1th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 8.8 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H.

Affected products

Mercurial
Debian Debian_linux — versions 7.0, 8.0
Fedoraproject Fedora — versions 22, 23
Opensuse Leap — versions 42.1
Opensuse — versions 13.2
Suse Linux_enterprise_debuginfo — versions 11
Suse Linux_enterprise_software_development_kit — versions 11, 12
N/a — versions n/a

Weakness classification (CWE)

CWE-19

References

FEDORA-2016-79604dde9f (x_refsource_FEDORA, vendor-advisory, Mailing List, Vendor Advisory)
GLSA-201612-19 (vendor-advisory, Third Party Advisory, x_refsource_GENTOO)
DSA-3542 (vendor-advisory, Third Party Advisory, x_refsource_DEBIAN)
cve@mitre.org (x_refsource_CONFIRM, Third Party Advisory)
cve@mitre.org (x_refsource_CONFIRM, Third Party Advisory)
openSUSE-SU-2016:1016 (vendor-advisory, Mailing List, x_refsource_SUSE, Vendor Advisory)
cve@mitre.org (x_refsource_CONFIRM, Vendor Advisory)
cve@mitre.org (x_refsource_CONFIRM, Third Party Advisory)
SUSE-SU-2016:1011 (vendor-advisory, Mailing List, x_refsource_SUSE, Vendor Advisory)
SUSE-SU-2016:1010 (vendor-advisory, Mailing List, x_refsource_SUSE, Vendor Advisory)

Frequently asked questions

What is CVE-2016-3630?: CVE-2016-3630 is a high-severity vulnerability in Mercurial, classified under CWE-19. CVSS score: 8.8/10. Published 2016-04-13.
How severe is CVE-2016-3630?: High severity. CVSS v3 base score is 8.8 out of 10.