CVE-2022-21187
published 2022-03-14CVE-2022-21187: The package libvcs before 0.11.1 are vulnerable to Command Injection via argument injection. When calling the update_repo function (when using hg), the url…
PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
3.65%
88.2th percentile
The package libvcs before 0.11.1 are vulnerable to Command Injection via argument injection. When calling the update_repo function (when using hg), the url parameter is passed to the hg clone command. By injecting some hg options it was possible to get arbitrary command execution.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| libvcs_project | libvcs | < 0.11.1 | 0.11.1 |
| libvcs_project | libvcs | >= 0 < 0.11.1 | 0.11.1 |
| libvcs_project | libvcs | >= unspecified < 0.11.1 | 0.11.1 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Command injection in libvcs and vcspull
ghsa·2022-03-15
CVE-2022-21187 [CRITICAL] CWE-74 Command injection in libvcs and vcspull
Command injection in libvcs and vcspull
The package libvcs before 0.11.1 are vulnerable to Command Injection via argument injection. When calling the update_repo function (when using hg), the url parameter is passed to the hg clone command. By injecting some hg options it was possible to get arbitrary command execution.
OSV
Command injection in libvcs and vcspull
osv·2022-03-15
CVE-2022-21187 [CRITICAL] Command injection in libvcs and vcspull
Command injection in libvcs and vcspull
The package libvcs before 0.11.1 are vulnerable to Command Injection via argument injection. When calling the update_repo function (when using hg), the url parameter is passed to the hg clone command. By injecting some hg options it was possible to get arbitrary command execution.
OSV
CVE-2022-21187: The package libvcs before 0
osv·2022-03-14
CVE-2022-21187 CVE-2022-21187: The package libvcs before 0
The package libvcs before 0.11.1 are vulnerable to Command Injection via argument injection. When calling the update_repo function (when using hg), the url parameter is passed to the hg clone command. By injecting some hg options it was possible to get arbitrary command execution.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/vcs-python/libvcs/blob/v0.11.1/CHANGES%23libvcs-0111-2022-03-12https://github.com/vcs-python/libvcs/pull/306https://snyk.io/vuln/SNYK-PYTHON-LIBVCS-2421204https://github.com/vcs-python/libvcs/blob/v0.11.1/CHANGES%23libvcs-0111-2022-03-12https://github.com/vcs-python/libvcs/pull/306https://snyk.io/vuln/SNYK-PYTHON-LIBVCS-2421204
2022-03-14
Published