GitHub Advisory DatabaseGHSA-MV2W-4JQC-6FG4Command injection in libvcs and vcspull
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
75.5%
The package libvcs before 0.11.1 are vulnerable to Command Injection via argument injection. When calling the update_repo function (when using hg), the url parameter is passed to the hg clone command. By injecting some hg options it was possible to get arbitrary command execution.
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| * | vcspull | * | cpe:2.3:a:*:vcspull:*:*:*:*:*:*:*:* |
| libvcs_project | libvcs | * | cpe:2.3:a:libvcs_project:libvcs:*:*:*:*:*:*:*:* |
References
github.com/advisories/GHSA-mv2w-4jqc-6fg4
github.com/pypa/advisory-database/tree/main/vulns/libvcs/PYSEC-2022-163.yaml
github.com/vcs-python/libvcs/blob/master/CHANGES#libvcs-0111-2022-03-12
github.com/vcs-python/libvcs/blob/v0.11.1/CHANGES%23libvcs-0111-2022-03-12
github.com/vcs-python/libvcs/pull/306
github.com/vcs-python/vcspull/blob/master/CHANGES#vcspull-1111-2022-03-12
github.com/vcs-python/vcspull/commit/e1b77128a1fa0754625b5f43d8bc47956f21f33e
nvd.nist.gov/vuln/detail/CVE-2022-21187
snyk.io/vuln/SNYK-PYTHON-LIBVCS-2421204
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
75.5%