CVE-2022-24065

OS Command Injection in cookiecutter in pypi/cookiecutter

Identifiers

CVE-2022-24065, GHSA-f4q6-9qm4-h8j4

Package Slug

pypi/cookiecutter

Vulnerability

OS Command Injection in cookiecutter

Description

The package cookiecutter before 2.1.1 is vulnerable to Command Injection via hg argument injection. When calling the cookiecutter function from Python code with the checkout parameter, it is passed to the hg checkout command in a way that additional flags can be set. The additional flags can be used to perform a command injection.

Affected Versions

All versions before 2.1.1

Solution

Upgrade to version 2.1.1 or above.

Last Modified

2022-06-10

source