Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bump cookiecutter version to address CVE #3956

Merged
merged 5 commits into from Jun 16, 2022
Merged

bump cookiecutter version to address CVE #3956

merged 5 commits into from Jun 16, 2022

Conversation

hawflau
Copy link
Contributor

@hawflau hawflau commented Jun 10, 2022

The package cookiecutter before 2.1.1 is vulnerable to Command Injection via hg argument injection. When calling the cookiecutter function from Python code with the checkout parameter, it is passed to the hg checkout command in a way that additional flags can be set. The additional flags can be used to perform a command injection.

Bumping cookiecutter version to address the CVE.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@hawflau hawflau enabled auto-merge (squash) June 10, 2022 00:19
@hawflau hawflau disabled auto-merge June 10, 2022 06:59
This was referenced Jun 13, 2022
Closed
Merged
@hawflau hawflau merged commit 1b2b2fd into aws:develop Jun 16, 2022
@hawflau hawflau deleted the bump-cookiecutter-version branch June 23, 2022 19:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mndeveci mndeveci mndeveci approved these changes

@mildaniel mildaniel mildaniel approved these changes

Assignees
No one assigned
Labels
pr/internal
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@hawflau @mndeveci @mildaniel