Safety vulnerability ID: 49337
The information on this page was manually curated by our Cybersecurity Intelligence Team.
Cookiecutter 2.1.1 includes a fix for CVE-2022-24065: Cookiecutter before 2.1.1 is vulnerable to Command Injection via hg argument injection. When calling the cookiecutter function from Python code with the checkout parameter, it is passed to the hg checkout command in a way that additional flags can be set. The additional flags can be used to perform a command injection.
Latest version: 2.6.0
A command-line utility that creates projects from project templates, e.g. creating a Python package project from a Python package project template.
The package cookiecutter before 2.1.1 are vulnerable to Command Injection via hg argument injection. When calling the cookiecutter function from Python code with the checkout parameter, it is passed to the hg checkout command in a way that additional flags can be set. The additional flags can be used to perform a command injection. See CVE-2022-24065.
MISC:https://github.com/cookiecutter/cookiecutter/commit/fdffddb31fd2b46344dfa317531ff155e7999f77: https://github.com/cookiecutter/cookiecutter/commit/fdffddb31fd2b46344dfa317531ff155e7999f77
MISC:https://github.com/cookiecutter/cookiecutter/releases/tag/2.1.1: https://github.com/cookiecutter/cookiecutter/releases/tag/2.1.1
MISC:https://snyk.io/vuln/SNYK-PYTHON-COOKIECUTTER-2414281: https://snyk.io/vuln/SNYK-PYTHON-COOKIECUTTER-2414281
Scan your Python project for dependency vulnerabilities in two minutes
Scan your application