CVE-2022-21187
HIGHlibvcs < 0.11.1 - OS Command Injection via hg clone URL Parameter
Title source: llmDescription
The package libvcs before 0.11.1 are vulnerable to Command Injection via argument injection. When calling the update_repo function (when using hg), the url parameter is passed to the hg clone command. By injecting some hg options it was possible to get arbitrary command execution.
References (3)
Core 3
Core References
Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-PYTHON-LIBVCS-2421204
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/vcs-python/libvcs/blob/v0.11.1/CHANGES%23libvcs-0111-2022-03-12
Patch, Third Party Advisory x_refsource_misc
https://github.com/vcs-python/libvcs/pull/306
Scores
CVSS v3
8.1
EPSS
0.0365
EPSS Percentile
88.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-88
Status
published
Products (3)
libvcs_project/libvcs
< 0.11.1
pypi/libvcs
0 - 0.11.1PyPI
pypi/vcspull
0 - 1.11.1PyPI
Published
Mar 14, 2022
Tracked Since
Feb 18, 2026