← back
CVE-2022-21187

Command Injection

CVSS 8.1 HIGHEPSS 3.7%
The package libvcs before 0.11.1 are vulnerable to Command Injection via argument injection. When calling the update_repo function (when using hg), the url parameter is passed to the hg clone command. By injecting some hg options it was possible to get arbitrary command execution.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · libvcs

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/vcs-python/libvcs/blob/v0.11.1/CHANGES%23libvcs-0111-2022-03-12https://github.com/vcs-python/libvcs/pull/306https://snyk.io/vuln/SNYK-PYTHON-LIBVCS-2421204