CVE-2022-24065
published 2022-06-08CVE-2022-24065: The package cookiecutter before 2.1.1 are vulnerable to Command Injection via hg argument injection. When calling the cookiecutter function from Python code…
PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
4.22%
89.7th percentile
The package cookiecutter before 2.1.1 are vulnerable to Command Injection via hg argument injection. When calling the cookiecutter function from Python code with the checkout parameter, it is passed to the hg checkout command in a way that additional flags can be set. The additional flags can be used to perform a command injection.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cookiecutter_project | cookiecutter | < 2.1.1 | 2.1.1 |
| cookiecutter_project | cookiecutter | >= 0 < 2.6.0-1 | 2.6.0-1 |
| cookiecutter_project | cookiecutter | >= 0 < 2.6.0-1 | 2.6.0-1 |
| cookiecutter_project | cookiecutter | >= 0 < 2.1.1 | 2.1.1 |
| cookiecutter_project | cookiecutter | >= unspecified < 2.1.1 | 2.1.1 |
| debian | cookiecutter | < cookiecutter 2.6.0-1 (forky) | cookiecutter 2.6.0-1 (forky) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Command injection occurs when the `checkout` parameter passed to the `cookiecutter` Python function is forwarded unsanitized to the `hg checkout` command, allowing injection of additional Mercurial flags. ↗
- →Monitor for suspicious `hg` (Mercurial) process invocations spawned by Python/cookiecutter processes, especially those containing unexpected flag arguments (e.g., `--config`, `--cwd`, `--repository`) that could indicate argument injection. ↗
- ·Vulnerability only affects cookiecutter versions before 2.1.1; fixed in 2.1.1 upstream and in Debian package 2.6.0-1 (forky/sid/trixie). Debian bookworm remains open/unfixed. ↗
- ·Exploitation requires the attacker to control the `checkout` parameter when `cookiecutter` is called from Python code — this is a local-scope vulnerability per Debian's classification. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian8.1HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2022-24065: cookiecutter - The package cookiecutter before 2.1.1 are vulnerable to Command Injection via hg...
vendor_debian·2022·CVSS 8.1
CVE-2022-24065 [HIGH] CVE-2022-24065: cookiecutter - The package cookiecutter before 2.1.1 are vulnerable to Command Injection via hg...
The package cookiecutter before 2.1.1 are vulnerable to Command Injection via hg argument injection. When calling the cookiecutter function from Python code with the checkout parameter, it is passed to the hg checkout command in a way that additional flags can be set. The additional flags can be used to perform a command injection.
Scope: local
bookworm: open
forky: resolved (fixed in 2.6.0-1)
sid: resolved (fixed in 2.6.0-1)
trixie: resolved (fixed in 2.6.0-1)
GHSA
OS Command Injection in cookiecutter
ghsa·2022-06-09
CVE-2022-24065 [CRITICAL] CWE-78 OS Command Injection in cookiecutter
OS Command Injection in cookiecutter
The package cookiecutter before 2.1.1 is vulnerable to Command Injection via hg argument injection. When calling the cookiecutter function from Python code with the checkout parameter, it is passed to the hg checkout command in a way that additional flags can be set. The additional flags can be used to perform a command injection.
OSV
OS Command Injection in cookiecutter
osv·2022-06-09
CVE-2022-24065 [CRITICAL] OS Command Injection in cookiecutter
OS Command Injection in cookiecutter
The package cookiecutter before 2.1.1 is vulnerable to Command Injection via hg argument injection. When calling the cookiecutter function from Python code with the checkout parameter, it is passed to the hg checkout command in a way that additional flags can be set. The additional flags can be used to perform a command injection.
OSV
CVE-2022-24065: The package cookiecutter before 2
osv·2022-06-08·CVSS 9.8
CVE-2022-24065 [CRITICAL] CVE-2022-24065: The package cookiecutter before 2
The package cookiecutter before 2.1.1 are vulnerable to Command Injection via hg argument injection. When calling the cookiecutter function from Python code with the checkout parameter, it is passed to the hg checkout command in a way that additional flags can be set. The additional flags can be used to perform a command injection.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/cookiecutter/cookiecutter/commit/fdffddb31fd2b46344dfa317531ff155e7999f77https://github.com/cookiecutter/cookiecutter/releases/tag/2.1.1https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G5TXC4JYTNGOUFMCXPZ6QKWEZN3URTAK/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HQKWT7SGFDCUPPLDIELTN7FVTHWDL5YK/https://snyk.io/vuln/SNYK-PYTHON-COOKIECUTTER-2414281https://github.com/cookiecutter/cookiecutter/commit/fdffddb31fd2b46344dfa317531ff155e7999f77https://github.com/cookiecutter/cookiecutter/releases/tag/2.1.1https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G5TXC4JYTNGOUFMCXPZ6QKWEZN3URTAK/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HQKWT7SGFDCUPPLDIELTN7FVTHWDL5YK/https://snyk.io/vuln/SNYK-PYTHON-COOKIECUTTER-2414281
2022-06-08
Published