CVE-2022-21187

HIGH

Libvcs < 0.11.1 - Command Injection

Title source: rule

Description

The package libvcs before 0.11.1 are vulnerable to Command Injection via argument injection. When calling the update_repo function (when using hg), the url parameter is passed to the hg clone command. By injecting some hg options it was possible to get arbitrary command execution.

References (3)

[Release Notes, Third Party Advisory] https://github.com/vcs-python/libvcs/blob/v0.11.1/CHANGES%23libvcs-0111-2022-03-12

[Patch, Third Party Advisory] https://github.com/vcs-python/libvcs/pull/306

[Third Party Advisory] https://snyk.io/vuln/SNYK-PYTHON-LIBVCS-2421204

Scores

CVSS v3 8.1

EPSS 0.0128

EPSS Percentile 79.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-88

Status published

Affected Products (3)

libvcs_project/libvcs < 0.11.1

pypi/libvcs < 0.11.1PyPI

pypi/vcspull < 1.11.1PyPI

Timeline

Published Mar 14, 2022

Tracked Since Feb 18, 2026