Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
Related vulnerabilities
PYSEC-2022-163
Vulnerability from pysec - Published: 2022-03-14 18:15 - Updated: 2022-03-14 20:32
VLAI
Details
The package libvcs before 0.11.1 are vulnerable to Command Injection via argument injection. When calling the update_repo function (when using hg), the url parameter is passed to the hg clone command. By injecting some hg options it was possible to get arbitrary command execution.
Impacted products
| Name | purl | libvcs | pkg:pypi/libvcs |
|---|
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "libvcs",
"purl": "pkg:pypi/libvcs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.11.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.1.2",
"0.1.3",
"0.1.4",
"0.1.5",
"0.1.6",
"0.1.7",
"0.10.0",
"0.10.1",
"0.11.0",
"0.2.0",
"0.2.1",
"0.2.2",
"0.2.3",
"0.3.0",
"0.3.1",
"0.3.1.post1",
"0.3.2",
"0.3.3",
"0.4.0",
"0.4.0rc1",
"0.4.0rc2",
"0.4.1",
"0.4.2",
"0.4.3",
"0.4.4",
"0.5.0",
"0.5.0a1",
"0.5.0a2",
"0.9.0",
"0.9.0a1",
"0.9.0a2"
]
}
],
"aliases": [
"CVE-2022-21187",
"SNYK-PYTHON-LIBVCS-2421204"
],
"details": "The package libvcs before 0.11.1 are vulnerable to Command Injection via argument injection. When calling the update_repo function (when using hg), the url parameter is passed to the hg clone command. By injecting some hg options it was possible to get arbitrary command execution.",
"id": "PYSEC-2022-163",
"modified": "2022-03-14T20:32:58.020706Z",
"published": "2022-03-14T18:15:00Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/vcs-python/libvcs/pull/306"
},
{
"type": "WEB",
"url": "https://github.com/vcs-python/libvcs/blob/v0.11.1/CHANGES%23libvcs-0111-2022-03-12"
},
{
"type": "ADVISORY",
"url": "https://snyk.io/vuln/SNYK-PYTHON-LIBVCS-2421204"
}
]
}