CVE-2022-21187: Command injection in libvcs and vcspull
(updated )
The package libvcs before 0.11.1 are vulnerable to Command Injection via argument injection. When calling the update_repo function (when using hg), the url parameter is passed to the hg clone command. By injecting some hg options it was possible to get arbitrary command execution.
References
- github.com/advisories/GHSA-mv2w-4jqc-6fg4
- github.com/pypa/advisory-database/tree/main/vulns/libvcs/PYSEC-2022-163.yaml
- github.com/vcs-python/libvcs/blob/master/CHANGES
- github.com/vcs-python/libvcs/blob/v0.11.1/CHANGES%23libvcs-0111-2022-03-12
- github.com/vcs-python/libvcs/pull/306
- github.com/vcs-python/vcspull/blob/master/CHANGES
- github.com/vcs-python/vcspull/commit/e1b77128a1fa0754625b5f43d8bc47956f21f33e
- nvd.nist.gov/vuln/detail/CVE-2022-21187
- snyk.io/vuln/SNYK-PYTHON-LIBVCS-2421204
Detect and mitigate CVE-2022-21187 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →