PYSEC-2022-204

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/cookiecutter/PYSEC-2022-204.yaml

Aliases

CVE-2022-24065
GHSA-f4q6-9qm4-h8j4
SNYK-PYTHON-COOKIECUTTER-2414281

Published

2022-06-08T08:15:00Z

Modified

2023-11-08T04:08:29.124993Z

Details

The package cookiecutter before 2.1.1 are vulnerable to Command Injection via hg argument injection. When calling the cookiecutter function from Python code with the checkout parameter, it is passed to the hg checkout command in a way that additional flags can be set. The additional flags can be used to perform a command injection.

References

Affected packages

PyPI / cookiecutter

Package

Name: cookiecutter

Affected ranges

Type: GIT
Repo: https://github.com/cookiecutter/cookiecutter
Events: Introduced

0The exact introduced commit is unknown

Fixed

fdffddb31fd2b46344dfa317531ff155e7999f77

Type: ECOSYSTEM
Events: Introduced

0The exact introduced commit is unknown

Fixed

2.1.1

Affected versions

0.*

0.1

0.2

0.2.1

0.3

0.4

0.5

0.6.0

0.6.1

0.6.2

0.6.3

0.6.4

0.7.0

0.7.1

0.7.2

0.8.0

0.9.0

0.9.1

1.*

1.0.0

1.1.0

1.2.0

1.2.1

1.3.0

1.4.0

1.5.0

1.5.1

1.6.0

1.7.0

1.7.1

1.7.2

1.7.3

2.*

2.1.0