Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS02NjM1LWM2MjYtdmo0cs03og
Command Injection Vulnerability with Mercurial in VCS
URLs and local file paths passed to the Mercurial (hg) APIs that are specially crafted can contain commands which are executed by Mercurial if it is installed on the host operating system. The vcs
package uses the underly version control system, in this case hg
, to implement the needed functionality. When hg
is executed, argument strings are passed to hg
in a way that additional flags can be set. The additional flags can be used to perform a command injection. Other version control systems with an implemented interface may also be vulnerable. The issue has been fixed in version 1.13.2. A work around is to sanitize data passed to the vcs
package APIs to ensure it does not contain commands or unexpected data. This is important for user input data that is passed directly to the package APIs.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02NjM1LWM2MjYtdmo0cs03og
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: about 2 years ago
Updated: over 1 year ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-6635-c626-vj4r, CVE-2022-21235
References:
- https://github.com/Masterminds/vcs/security/advisories/GHSA-6635-c626-vj4r
- https://github.com/Masterminds/vcs/commit/922a5122330ea8fbe56352a0172ddb6bf019cd22
- https://github.com/Masterminds/vcs/releases/tag/v1.13.2
- https://nvd.nist.gov/vuln/detail/CVE-2022-21235
- https://github.com/Masterminds/vcs/pull/105
- https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMMASTERMINDSVCS-2437078
- https://github.com/advisories/GHSA-6635-c626-vj4r
Blast Radius: 36.9
Affected Packages
go:github.com/Masterminds/vcs
Dependent packages: 274Dependent repositories: 5,816
Downloads:
Affected Version Ranges: < 1.13.2
Fixed in: 1.13.2
All affected versions: 1.8.0, 1.9.0, 1.10.0, 1.10.1, 1.10.2, 1.11.0, 1.11.1, 1.12.0, 1.13.0, 1.13.1
All unaffected versions: 1.13.2, 1.13.3