GO-2022-0414

See a problem?
Please try reporting it to the source first.

Source

https://pkg.go.dev/vuln/GO-2022-0414

Import Source

https://vuln.go.dev/ID/GO-2022-0414.json

JSON Data

https://api.osv.dev/v1/vulns/GO-2022-0414

Aliases

Published

2022-07-01T20:08:17Z

Modified

2026-03-16T03:10:58.658242Z

Summary

Command injection in github.com/Masterminds/vcs

Details

Passing untrusted inputs to VCS functions can permit an attacker to execute arbitrary commands.

The vcs package executes version control commands with user-provided arguments. These arguments can be interpreted as command-line flags, which can be used to perform command injection.

Database specific

{
    "url": "https://pkg.go.dev/vuln/GO-2022-0414",
    "review_status": "REVIEWED"
}

References

https://github.com/Masterminds/vcs/pull/105

Credits

- Alessio Della Libera of Snyk Research Team

Affected packages

Go / github.com/Masterminds/vcs

Package

Name: github.com/Masterminds/vcs; View open source insights on deps.dev
Purl: pkg:golang/github.com/Masterminds/vcs

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.13.3

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/Masterminds/vcs",
            "symbols": [
                "BzrRepo.ExportDir",
                "BzrRepo.Get",
                "BzrRepo.Init",
                "BzrRepo.Ping",
                "GitRepo.Get",
                "GitRepo.Init",
                "GitRepo.Update",
                "HgRepo.ExportDir",
                "HgRepo.Get",
                "HgRepo.Init",
                "HgRepo.Ping",
                "NewRepo",
                "NewSvnRepo",
                "SvnRepo.ExportDir",
                "SvnRepo.Get",
                "SvnRepo.Ping"
            ]
        }
    ]
}

Database specific

source

"https://vuln.go.dev/ID/GO-2022-0414.json"