CVE-2022-24065 — OS Command Injection in Project Cookiecutter

CWE-78 — OS Command Injection5 documents4 sources

Severity

9.8CRITICALNVD

EPSS

1.8%

top 17.25%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cookiecutter Project Cookiecutter Debian Cookiecutter Fedoraproject Fedora

Timeline

PublishedJun 8

Latest updateJun 9

Description

The package cookiecutter before 2.1.1 are vulnerable to Command Injection via hg argument injection. When calling the cookiecutter function from Python code with the checkout parameter, it is passed to the hg checkout command in a way that additional flags can be set. The additional flags can be used to perform a command injection.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages5 packages

▶debiandebian/cookiecutter< cookiecutter 2.6.0-1 (forky)

▶CVEListV5cookiecutter_project/cookiecutterunspecified — 2.1.1

▶NVDcookiecutter_project/cookiecutter< 2.1.1

▶PyPIcookiecutter_project/cookiecutter< 2.1.1

▶Debiancookiecutter_project/cookiecutter< 2.6.0-1+1

Also affects: Fedora 35, 36

Patches

Patch: github.com ↗Patch: snyk.io ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

OS Command Injection in cookiecutter↗2022-06-09

▶

OSV

OS Command Injection in cookiecutter↗2022-06-09

▶

OSV

CVE-2022-24065: The package cookiecutter before 2↗2022-06-08

▶

📋Vendor Advisories

Debian

CVE-2022-24065: cookiecutter - The package cookiecutter before 2.1.1 are vulnerable to Command Injection via hg...↗2022

▶