GHSA-6635-c626-vj4r

Suggest an improvement
Source
https://github.com/advisories/GHSA-6635-c626-vj4r
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-6635-c626-vj4r/GHSA-6635-c626-vj4r.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-6635-c626-vj4r
Aliases
Published
2022-04-01T14:05:33Z
Modified
2024-05-20T21:29:38Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Command Injection Vulnerability with Mercurial in VCS
Details

URLs and local file paths passed to the Mercurial (hg) APIs that are specially crafted can contain commands which are executed by Mercurial if it is installed on the host operating system. The vcs package uses the underly version control system, in this case hg, to implement the needed functionality. When hg is executed, argument strings are passed to hg in a way that additional flags can be set. The additional flags can be used to perform a command injection. Other version control systems with an implemented interface may also be vulnerable. The issue has been fixed in version 1.13.2. A work around is to sanitize data passed to the vcs package APIs to ensure it does not contain commands or unexpected data. This is important for user input data that is passed directly to the package APIs.

Database specific 
{
    "nvd_published_at": "2022-04-01T16:15:00Z",
    "github_reviewed": true,
    "github_reviewed_at": "2022-04-01T14:05:33Z",
    "severity": "CRITICAL",
    "cwe_ids": [
        "CWE-77",
        "CWE-88"
    ]
}
References

Affected packages

Go / github.com/Masterminds/vcs

Package

Name
github.com/Masterminds/vcs
View open source insights on deps.dev
Purl
pkg:golang/github.com/Masterminds/vcs

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.13.2