Lucene search
GoogleOSV:GHSA-MV2W-4JQC-6FG4HistoryMar 15, 2022 - 12:00 a.m.
Command injection in libvcs and vcspull
2022-03-1500:00:53
Google
osv.dev
14
software
libvcs
vcspull
command injection
vulnerability
hg
update_repo
EPSS
0.005
Percentile
75.5%
The package libvcs before 0.11.1 are vulnerable to Command Injection via argument injection. When calling the update_repo function (when using hg), the url parameter is passed to the hg clone command. By injecting some hg options it was possible to get arbitrary command execution.
References
github.com/vcs-python/libvcs/blob/master/CHANGES#libvcs-0111-2022-03-12
github.com/vcs-python/libvcs/blob/v0.11.1/CHANGES%23libvcs-0111-2022-03-12
github.com/vcs-python/libvcs/pull/306
github.com/vcs-python/vcspull/blob/master/CHANGES#vcspull-1111-2022-03-12
github.com/vcs-python/vcspull/commit/e1b77128a1fa0754625b5f43d8bc47956f21f33e
nvd.nist.gov/vuln/detail/CVE-2022-21187
snyk.io/vuln/SNYK-PYTHON-LIBVCS-2421204
Related
cve
cve
CVE-2022-21187
2022-03-14 18:15:07
veracode
veracode
Command Injection
2022-03-15 03:45:44
nvd
nvd
CVE-2022-21187
2022-03-14 18:15:07
cnvd
cnvd
libvcs Command Injection Vulnerability
2022-03-15 00:00:00
prion
prion
Command injection
2022-03-14 18:15:00
osv
osv
CVE-2022-21187
2022-03-14 18:15:07
PYSEC-2022-163
2022-03-14 18:15:00
cvelist
cvelist
CVE-2022-21187 Command Injection
2022-03-14 17:15:17
github
github
Command injection in libvcs and vcspull
2022-03-15 00:00:53