Safety vulnerability ID: 46409
The information on this page was manually curated by our Cybersecurity Intelligence Team.
Libvcs before 0.11.1 is vulnerable to Command Injection via argument injection. When calling the update_repo function (when using hg), the url parameter is passed to the hg clone command. By injecting some hg options it was possible to get arbitrary command execution.
Latest version: 0.35.0
Lite, typed, python utilities for Git, SVN, Mercurial, etc.
The package libvcs before 0.11.1 are vulnerable to Command Injection via argument injection. When calling the update_repo function (when using hg), the url parameter is passed to the hg clone command. By injecting some hg options it was possible to get arbitrary command execution. See CVE-2022-21187.
MISC:https://github.com/vcs-python/libvcs/blob/v0.11.1/CHANGES%23libvcs-0111-2022-03-12: https://github.com/vcs-python/libvcs/blob/v0.11.1/CHANGES%23libvcs-0111-2022-03-12
MISC:https://github.com/vcs-python/libvcs/pull/306: https://github.com/vcs-python/libvcs/pull/306
MISC:https://snyk.io/vuln/SNYK-PYTHON-LIBVCS-2421204: https://snyk.io/vuln/SNYK-PYTHON-LIBVCS-2421204
Scan your Python project for dependency vulnerabilities in two minutes
Scan your application