9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
47.7%
URLs and local file paths passed to the Mercurial (hg) APIs that are specially crafted can contain commands which are executed by Mercurial if it is installed on the host operating system. The vcs
package uses the underly version control system, in this case hg
, to implement the needed functionality. When hg
is executed, argument strings are passed to hg
in a way that additional flags can be set. The additional flags can be used to perform a command injection. Other version control systems with an implemented interface may also be vulnerable. The issue has been fixed in version 1.13.2. A work around is to sanitize data passed to the vcs
package APIs to ensure it does not contain commands or unexpected data. This is important for user input data that is passed directly to the package APIs.
CPE | Name | Operator | Version |
---|---|---|---|
github.com/masterminds/vcs | lt | 1.13.2 |
github.com/Masterminds/vcs
github.com/Masterminds/vcs/commit/922a5122330ea8fbe56352a0172ddb6bf019cd22
github.com/Masterminds/vcs/pull/105
github.com/Masterminds/vcs/releases/tag/v1.13.2
github.com/Masterminds/vcs/security/advisories/GHSA-6635-c626-vj4r
nvd.nist.gov/vuln/detail/CVE-2022-21235
snyk.io/vuln/SNYK-GOLANG-GITHUBCOMMASTERMINDSVCS-2437078
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
47.7%