GO-2022-0414

See a problem?
Please try reporting it to the source first.

Source

https://pkg.go.dev/vuln/GO-2022-0414

Import Source

https://vuln.go.dev/ID/GO-2022-0414.json

JSON Data

https://api.test.osv.dev/v1/vulns/GO-2022-0414

Aliases

CVE-2022-21235
GHSA-6635-c626-vj4r

Published

2022-07-01T20:08:17Z

Modified

2024-05-20T16:03:47Z

Summary

Command injection in github.com/Masterminds/vcs

Details

Passing untrusted inputs to VCS functions can permit an attacker to execute arbitrary commands.

The vcs package executes version control commands with user-provided arguments. These arguments can be interpreted as command-line flags, which can be used to perform command injection.

Database specific

{
    "url": "https://pkg.go.dev/vuln/GO-2022-0414",
    "review_status": "REVIEWED"
}

References

https://github.com/Masterminds/vcs/pull/105

Credits

- Alessio Della Libera of Snyk Research Team

Affected packages

Go / github.com/Masterminds/vcs

Package

Name: github.com/Masterminds/vcs; View open source insights on deps.dev
Purl: pkg:golang/github.com/Masterminds/vcs

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.13.3

Ecosystem specific

{
    "imports": [
        {
            "symbols": [
                "BzrRepo.ExportDir",
                "BzrRepo.Get",
                "BzrRepo.Init",
                "BzrRepo.Ping",
                "GitRepo.Get",
                "GitRepo.Init",
                "GitRepo.Update",
                "HgRepo.ExportDir",
                "HgRepo.Get",
                "HgRepo.Init",
                "HgRepo.Ping",
                "NewRepo",
                "NewSvnRepo",
                "SvnRepo.ExportDir",
                "SvnRepo.Get",
                "SvnRepo.Ping"
            ],
            "path": "github.com/Masterminds/vcs"
        }
    ]
}