Https://gitlab.com/gitlab-org/security-products/gemnasium-dbGITLAB-BA883F84051F6280A8EA52B543D22EB8Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
47.5%
The package github.com/masterminds/vcs before 1.13.3 is vulnerable to Command Injection via argument injection. When hg is executed, argument strings are passed to hg in a way that additional flags can be set. The additional flags can be used to perform a command injection.
| CPE | Name | Operator | Version |
|---|---|---|---|
| go/github.com/masterminds/vcs | lt | v1.13.2 |
References
github.com/advisories/GHSA-6635-c626-vj4r
github.com/Masterminds/vcs/commit/922a5122330ea8fbe56352a0172ddb6bf019cd22
github.com/Masterminds/vcs/pull/105
github.com/Masterminds/vcs/releases/tag/v1.13.2
github.com/Masterminds/vcs/security/advisories/GHSA-6635-c626-vj4r
nvd.nist.gov/vuln/detail/CVE-2022-21235
snyk.io/vuln/SNYK-GOLANG-GITHUBCOMMASTERMINDSVCS-2437078
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
47.5%