cookiecutter is vulnerable to command injection. The vulnerability exists in the clone
function in vcs.py
due to a lack of sanitization in checkout parameter which allows an attacker to inject and execute arbitrary codes
github.com/cookiecutter/cookiecutter/commit/fdffddb31fd2b46344dfa317531ff155e7999f77
github.com/cookiecutter/cookiecutter/pull/1689
github.com/cookiecutter/cookiecutter/releases/tag/2.1.1
lists.fedoraproject.org/archives/list/[email protected]/message/G5TXC4JYTNGOUFMCXPZ6QKWEZN3URTAK/
lists.fedoraproject.org/archives/list/[email protected]/message/HQKWT7SGFDCUPPLDIELTN7FVTHWDL5YK/