GHSA-6635-C626-VJ4R

Vulnerability from github – Published: 2022-04-01 14:05 – Updated: 2024-05-20 21:29
VLAI?
Summary
Command Injection Vulnerability with Mercurial in VCS
Details

URLs and local file paths passed to the Mercurial (hg) APIs that are specially crafted can contain commands which are executed by Mercurial if it is installed on the host operating system. The vcs package uses the underly version control system, in this case hg, to implement the needed functionality. When hg is executed, argument strings are passed to hg in a way that additional flags can be set. The additional flags can be used to perform a command injection. Other version control systems with an implemented interface may also be vulnerable. The issue has been fixed in version 1.13.2. A work around is to sanitize data passed to the vcs package APIs to ensure it does not contain commands or unexpected data. This is important for user input data that is passed directly to the package APIs.

Severity ?
9.8 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/Masterminds/vcs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.13.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-21235"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-77",
      "CWE-88"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-04-01T14:05:33Z",
    "nvd_published_at": "2022-04-01T16:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "URLs and local file paths passed to the Mercurial (hg) APIs that are specially crafted can contain commands which are executed by Mercurial if it is installed on the host operating system. The `vcs` package uses the underly version control system, in this case `hg`, to implement the needed functionality. When `hg` is executed, argument strings are passed to `hg` in a way that additional flags can be set. The additional flags can be used to perform a command injection. Other version control systems with an implemented interface may also be vulnerable. The issue has been fixed in version 1.13.2. A work around is to sanitize data passed to the `vcs` package APIs to ensure it does not contain commands or unexpected data. This is important for user input data that is passed directly to the package APIs.",
  "id": "GHSA-6635-c626-vj4r",
  "modified": "2024-05-20T21:29:38Z",
  "published": "2022-04-01T14:05:33Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Masterminds/vcs/security/advisories/GHSA-6635-c626-vj4r"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21235"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Masterminds/vcs/pull/105"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Masterminds/vcs/commit/922a5122330ea8fbe56352a0172ddb6bf019cd22"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Masterminds/vcs"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Masterminds/vcs/releases/tag/v1.13.2"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMMASTERMINDSVCS-2437078"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Command Injection Vulnerability with Mercurial in VCS"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.