GHSA-MV2W-4JQC-6FG4 Command injection in libvcs and vcspull

The package libvcs before 0.11.1 are vulnerable to Command Injection via argument injection. When calling the updaterepo function when using hg, the url parameter is passed to the hg clone command. By injecting some hg options it was possible to get arbitrary command execution...

Command injection in libvcs and vcspull

The package libvcs before 0.11.1 are vulnerable to Command Injection via argument injection. When calling the updaterepo function when using hg, the url parameter is passed to the hg clone command. By injecting some hg options it was possible to get arbitrary command execution...

vcspull (>=1.8.0 <=1.8.1) potentially affected by CVE-2022-21187 via libvcs (=0.10.1)

libvcs PYPI version =0.10.1 is affected by a known vulnerability. The following packages have a transitive dependency on libvcs and may be impacted: - vcspull =1.8.0, =1.8.1 Source cves: CVE-2022-21187 Source advisory: OSV:GHSA-MV2W-4JQC-6FG4...

vcspull (>=1.8.0 <=1.8.1) potentially affected by CVE-2022-21187 via libvcs (=0.10.1)

libvcs PYPI version =0.10.1 is affected by a known vulnerability. The following packages have a transitive dependency on libvcs and may be impacted: - vcspull =1.8.0, =1.8.1 Source cves: CVE-2022-21187 Source advisory: OSV:PYSEC-2022-163...

vcspull (>=1.8.0 <=1.8.1) potentially affected by CVE-2022-21187 via libvcs (=0.10.1)

libvcs PYPI version =0.10.1 is affected by a known vulnerability. The following packages have a transitive dependency on libvcs and may be impacted: - vcspull =1.8.0, =1.8.1 Source cves: CVE-2022-21187 Source advisory: SNYK:PYTHON-LIBVCS-2421204...