blob: 269e67b0f3da97eb451aef2f055c8296377805ca [file] [log] [blame]
packages:
- module: github.com/Masterminds/vcs
symbols:
- BzrRepo.Get
- BzrRepo.Init
- BzrRepo.Ping
- BzrRepo.ExportDir
- GitRepo.Get
- GitRepo.Init
- GitRepo.Update
- HgRepo.Get
- HgRepo.Init
- HgRepo.Ping
- HgRepo.ExportDir
- NewSvnRepo
- SvnRepo.Get
- SvnRepo.Ping
- SvnRepo.ExportDir
derived_symbols:
- NewRepo
versions:
- fixed: 1.13.3
vulnerable_at: 1.13.1
description: |
Passing untrusted inputs to VCS functions can permit an attacker
to execute arbitrary commands.
The vcs package executes version control commands with
user-provided arguments. These arguments can be interpreted
as command-line flags, which can be used to perform command
injection.
cves:
- CVE-2022-21235
ghsas:
- GHSA-6635-c626-vj4r
credit: Alessio Della Libera of Snyk Research Team
links:
pr: https://github.com/Masterminds/vcs/pull/105