CVE-2022-21187

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2022-21187
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-21187.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-21187
Aliases
Withdrawn
2024-05-15T05:34:02.911414Z
Published
2022-03-14T18:15:07Z
Modified
2023-11-29T09:15:29.079570Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

The package libvcs before 0.11.1 are vulnerable to Command Injection via argument injection. When calling the update_repo function (when using hg), the url parameter is passed to the hg clone command. By injecting some hg options it was possible to get arbitrary command execution.

References

Affected packages

Git / github.com/vcs-python/libvcs

Affected ranges

Type
GIT
Repo
https://github.com/vcs-python/libvcs
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
f1e4c3b6a5019ccecff73ce78032a22c3804cbe6

Affected versions

v0.*

v0.1.0
v0.1.1
v0.1.2
v0.1.3
v0.1.4
v0.1.5
v0.1.6
v0.1.7
v0.10.0
v0.10.1
v0.11.0
v0.2.0
v0.2.1
v0.2.2
v0.2.3
v0.3.0
v0.3.1
v0.3.1post1
v0.3.2
v0.3.3
v0.4.0
v0.4.0rc1
v0.4.2
v0.4.3
v0.4.4
v0.5.0
v0.9.0
v0.9.0a2