CVE-2022-21235
HIGHvcs < 1.13.3 - Command Injection via hg Argument Injection
Title source: llmDescription
The package github.com/masterminds/vcs before 1.13.3 are vulnerable to Command Injection via argument injection. When hg is executed, argument strings are passed to hg in a way that additional flags can be set. The additional flags can be used to perform a command injection.
References (2)
Core 2
Core References
Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMMASTERMINDSVCS-2437078
Patch, Third Party Advisory x_refsource_misc
https://github.com/Masterminds/vcs/pull/105
Scores
CVSS v3
8.1
EPSS
0.0176
EPSS Percentile
75.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-88
Status
published
Products (2)
Masterminds/vcs
0 - 1.13.2Go
vcs_project/vcs
< 1.1.13
Published
Apr 01, 2022
Tracked Since
Feb 18, 2026