Passing untrusted inputs to VCS functions can permit an attacker to execute arbitrary commands.
The vcs package executes version control commands with user-provided arguments. These arguments can be interpreted as command-line flags, which can be used to perform command injection.
{ "review_status": "REVIEWED", "url": "https://pkg.go.dev/vuln/GO-2022-0414" }
{ "imports": [ { "symbols": [ "BzrRepo.ExportDir", "BzrRepo.Get", "BzrRepo.Init", "BzrRepo.Ping", "GitRepo.Get", "GitRepo.Init", "GitRepo.Update", "HgRepo.ExportDir", "HgRepo.Get", "HgRepo.Init", "HgRepo.Ping", "NewRepo", "NewSvnRepo", "SvnRepo.ExportDir", "SvnRepo.Get", "SvnRepo.Ping" ], "path": "github.com/Masterminds/vcs" } ] }