The package libvcs before 0.11.1 are vulnerable to Command Injection via argument injection. When calling the update_repo function (when using hg), the url parameter is passed to the hg clone command. By injecting some hg options it was possible to get arbitrary command execution.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: snyk
Published: 2022-03-14T17:15:17.020985Z
Updated: 2024-09-16T18:13:45.548Z
Reserved: 2022-02-24T00:00:00
Link: CVE-2022-21187
Vulnrichment
No data.
NVD
Status : Modified
Published: 2022-03-14T18:15:07.917
Modified: 2024-11-21T06:44:03.810
Link: CVE-2022-21187
Redhat
No data.