← volver
CVE-2022-21187

Command Injection

CVSS 8.1 HIGHEPSS 3.7%
The package libvcs before 0.11.1 are vulnerable to Command Injection via argument injection. When calling the update_repo function (when using hg), the url parameter is passed to the hg clone command. By injecting some hg options it was possible to get arbitrary command execution.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Productos afectados
n/a · libvcs

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
https://github.com/vcs-python/libvcs/blob/v0.11.1/CHANGES%23libvcs-0111-2022-03-12https://github.com/vcs-python/libvcs/pull/306https://snyk.io/vuln/SNYK-PYTHON-LIBVCS-2421204