Description
The package cookiecutter before 2.1.1 are vulnerable to Command Injection via hg argument injection. When calling the cookiecutter function from Python code with the checkout parameter, it is passed to the hg checkout command in a way that additional flags can be set. The additional flags can be used to perform a command injection.
References (5)
Core 5
Core References
Exploit, Patch, Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-PYTHON-COOKIECUTTER-2414281
Third Party Advisory x_refsource_misc
https://github.com/cookiecutter/cookiecutter/releases/tag/2.1.1
Patch, Third Party Advisory x_refsource_misc
https://github.com/cookiecutter/cookiecutter/commit/fdffddb31fd2b46344dfa317531ff155e7999f77
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HQKWT7SGFDCUPPLDIELTN7FVTHWDL5YK/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G5TXC4JYTNGOUFMCXPZ6QKWEZN3URTAK/
Scores
CVSS v3
8.1
EPSS
0.0222
EPSS Percentile
84.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-78
Status
published
Products (4)
cookiecutter_project/cookiecutter
< 2.1.1
fedoraproject/fedora
35
fedoraproject/fedora
36
pypi/cookiecutter
0 - 2.1.1PyPI
Published
Jun 08, 2022
Tracked Since
Feb 18, 2026