The package libvcs before 0.11.1 are vulnerable to Command Injection via argument injection. When calling the update_repo function (when using hg), the url parameter is passed to the hg clone command. By injecting some hg options it was possible to get arbitrary command execution.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: snyk

Published: 2022-03-14T17:15:17.020985Z

Updated: 2024-09-16T18:13:45.548Z

Reserved: 2022-02-24T00:00:00

Link: CVE-2022-21187

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2022-03-14T18:15:07.917

Modified: 2024-11-21T06:44:03.810

Link: CVE-2022-21187

cve-icon Redhat

No data.