cbcvebase.
CVE-2022-24065
published 2022-06-08

CVE-2022-24065: The package cookiecutter before 2.1.1 are vulnerable to Command Injection via hg argument injection. When calling the cookiecutter function from Python code…

PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
4.22%
89.7th percentile
The package cookiecutter before 2.1.1 are vulnerable to Command Injection via hg argument injection. When calling the cookiecutter function from Python code with the checkout parameter, it is passed to the hg checkout command in a way that additional flags can be set. The additional flags can be used to perform a command injection.

Affected

8 ranges
VendorProductVersion rangeFixed in
cookiecutter_projectcookiecutter< 2.1.12.1.1
cookiecutter_projectcookiecutter>= 0 < 2.6.0-12.6.0-1
cookiecutter_projectcookiecutter>= 0 < 2.6.0-12.6.0-1
cookiecutter_projectcookiecutter>= 0 < 2.1.12.1.1
cookiecutter_projectcookiecutter>= unspecified < 2.1.12.1.1
debiancookiecutter< cookiecutter 2.6.0-1 (forky)cookiecutter 2.6.0-1 (forky)
fedoraprojectfedora
fedoraprojectfedora

Detection & IOCsextracted from sources · hover to see the quote

  • Command injection occurs when the `checkout` parameter passed to the `cookiecutter` Python function is forwarded unsanitized to the `hg checkout` command, allowing injection of additional Mercurial flags.
  • Monitor for suspicious `hg` (Mercurial) process invocations spawned by Python/cookiecutter processes, especially those containing unexpected flag arguments (e.g., `--config`, `--cwd`, `--repository`) that could indicate argument injection.
  • ·Vulnerability only affects cookiecutter versions before 2.1.1; fixed in 2.1.1 upstream and in Debian package 2.6.0-1 (forky/sid/trixie). Debian bookworm remains open/unfixed.
  • ·Exploitation requires the attacker to control the `checkout` parameter when `cookiecutter` is called from Python code — this is a local-scope vulnerability per Debian's classification.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian8.1HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.