GO-2022-0414

Source
https://pkg.go.dev/vuln/GO-2022-0414
Import Source
https://vuln.go.dev/ID/GO-2022-0414.json
JSON Data
https://api.test.osv.dev/v1/vulns/GO-2022-0414
Aliases
Published
2022-07-01T20:08:17Z
Modified
2024-05-20T16:03:47Z
Summary
Command injection in github.com/Masterminds/vcs
Details

Passing untrusted inputs to VCS functions can permit an attacker to execute arbitrary commands.

The vcs package executes version control commands with user-provided arguments. These arguments can be interpreted as command-line flags, which can be used to perform command injection.

Database specific
{
    "review_status": "REVIEWED",
    "url": "https://pkg.go.dev/vuln/GO-2022-0414"
}
References
Credits
    • Alessio Della Libera of Snyk Research Team

Affected packages

Go / github.com/Masterminds/vcs

Package

Name
github.com/Masterminds/vcs
View open source insights on deps.dev
Purl
pkg:golang/github.com/Masterminds/vcs

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.13.3

Ecosystem specific

{
    "imports": [
        {
            "symbols": [
                "BzrRepo.ExportDir",
                "BzrRepo.Get",
                "BzrRepo.Init",
                "BzrRepo.Ping",
                "GitRepo.Get",
                "GitRepo.Init",
                "GitRepo.Update",
                "HgRepo.ExportDir",
                "HgRepo.Get",
                "HgRepo.Init",
                "HgRepo.Ping",
                "NewRepo",
                "NewSvnRepo",
                "SvnRepo.ExportDir",
                "SvnRepo.Get",
                "SvnRepo.Ping"
            ],
            "path": "github.com/Masterminds/vcs"
        }
    ]
}