-
Notifications
You must be signed in to change notification settings - Fork 303
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
1d6ccba
commit d184017
Showing
2 changed files
with
94 additions
and
41 deletions.
There are no files selected for viewing
94 changes: 94 additions & 0 deletions
94
advisories/github-reviewed/2022/03/GHSA-mv2w-4jqc-6fg4/GHSA-mv2w-4jqc-6fg4.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,94 @@ | ||
| { | ||
| "schema_version": "1.2.0", | ||
| "id": "GHSA-mv2w-4jqc-6fg4", | ||
| "modified": "2022-03-15T17:05:10Z", | ||
| "published": "2022-03-15T00:00:53Z", | ||
| "aliases": [ | ||
| "CVE-2022-21187" | ||
| ], | ||
| "summary": "Command injection in libvcs and vcspull", | ||
| "details": "The package libvcs before 0.11.1 are vulnerable to Command Injection via argument injection. When calling the update_repo function (when using hg), the url parameter is passed to the hg clone command. By injecting some hg options it was possible to get arbitrary command execution.", | ||
| "severity": [ | ||
| { | ||
| "type": "CVSS_V3", | ||
| "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" | ||
| } | ||
| ], | ||
| "affected": [ | ||
| { | ||
| "package": { | ||
| "ecosystem": "PyPI", | ||
| "name": "libvcs" | ||
| }, | ||
| "ranges": [ | ||
| { | ||
| "type": "ECOSYSTEM", | ||
| "events": [ | ||
| { | ||
| "introduced": "0" | ||
| }, | ||
| { | ||
| "fixed": "0.11.1" | ||
| } | ||
| ] | ||
| } | ||
| ] | ||
| }, | ||
| { | ||
| "package": { | ||
| "ecosystem": "PyPI", | ||
| "name": "vcspull" | ||
| }, | ||
| "ranges": [ | ||
| { | ||
| "type": "ECOSYSTEM", | ||
| "events": [ | ||
| { | ||
| "introduced": "0" | ||
| }, | ||
| { | ||
| "fixed": "1.11.1" | ||
| } | ||
| ] | ||
| } | ||
| ] | ||
| } | ||
| ], | ||
| "references": [ | ||
| { | ||
| "type": "ADVISORY", | ||
| "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21187" | ||
| }, | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://github.com/vcs-python/libvcs/pull/306" | ||
| }, | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://github.com/vcs-python/vcspull/commit/e1b77128a1fa0754625b5f43d8bc47956f21f33e" | ||
| }, | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://github.com/vcs-python/libvcs/blob/master/CHANGES#libvcs-0111-2022-03-12" | ||
| }, | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://github.com/vcs-python/libvcs/blob/v0.11.1/CHANGES%23libvcs-0111-2022-03-12" | ||
| }, | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://github.com/vcs-python/vcspull/blob/master/CHANGES#vcspull-1111-2022-03-12" | ||
| }, | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://snyk.io/vuln/SNYK-PYTHON-LIBVCS-2421204" | ||
| } | ||
| ], | ||
| "database_specific": { | ||
| "cwe_ids": [ | ||
| "CWE-74" | ||
| ], | ||
| "severity": "HIGH", | ||
| "github_reviewed": true | ||
| } | ||
| } |
41 changes: 0 additions & 41 deletions
41
advisories/unreviewed/2022/03/GHSA-mv2w-4jqc-6fg4/GHSA-mv2w-4jqc-6fg4.json
This file was deleted.
Oops, something went wrong.