CVE-2022-21235 – github.com/masterminds/vcs

Package

Manager: go
Name: github.com/masterminds/vcs
Vulnerable Version: >=0 <1.13.2

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00379 pctl0.58612

Details

Command Injection Vulnerability with Mercurial in VCS URLs and local file paths passed to the Mercurial (hg) APIs that are specially crafted can contain commands which are executed by Mercurial if it is installed on the host operating system. The `vcs` package uses the underly version control system, in this case `hg`, to implement the needed functionality. When `hg` is executed, argument strings are passed to `hg` in a way that additional flags can be set. The additional flags can be used to perform a command injection. Other version control systems with an implemented interface may also be vulnerable. The issue has been fixed in version 1.13.2. A work around is to sanitize data passed to the `vcs` package APIs to ensure it does not contain commands or unexpected data. This is important for user input data that is passed directly to the package APIs.

Metadata

Created: 2022-04-01T14:05:33Z
Modified: 2024-05-20T21:29:38Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-6635-c626-vj4r/GHSA-6635-c626-vj4r.json
CWE IDs: ["CWE-77", "CWE-88"]
Alternative ID: GHSA-6635-c626-vj4r
Finding: F422
Auto approve: 1