CVE-2022-24065 – cookiecutter

Package

Manager: pip
Name: cookiecutter
Vulnerable Version: >=0 <2.1.1

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.02875 pctl0.85767

Details

OS Command Injection in cookiecutter The package cookiecutter before 2.1.1 is vulnerable to Command Injection via hg argument injection. When calling the cookiecutter function from Python code with the checkout parameter, it is passed to the hg checkout command in a way that additional flags can be set. The additional flags can be used to perform a command injection.

Metadata

Created: 2022-06-09T23:48:49Z
Modified: 2024-11-18T16:26:26Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-f4q6-9qm4-h8j4/GHSA-f4q6-9qm4-h8j4.json
CWE IDs: ["CWE-78"]
Alternative ID: GHSA-f4q6-9qm4-h8j4
Finding: F404
Auto approve: 1