| id: GO-2022-0414 |
| modules: |
| - module: github.com/Masterminds/vcs |
| versions: |
| - fixed: 1.13.3 |
| vulnerable_at: 1.13.1 |
| packages: |
| - package: github.com/Masterminds/vcs |
| symbols: |
| - BzrRepo.Get |
| - BzrRepo.Init |
| - BzrRepo.Ping |
| - BzrRepo.ExportDir |
| - GitRepo.Get |
| - GitRepo.Init |
| - GitRepo.Update |
| - HgRepo.Get |
| - HgRepo.Init |
| - HgRepo.Ping |
| - HgRepo.ExportDir |
| - NewSvnRepo |
| - SvnRepo.Get |
| - SvnRepo.Ping |
| - SvnRepo.ExportDir |
| derived_symbols: |
| - NewRepo |
| summary: Command injection in github.com/Masterminds/vcs |
| description: |- |
| Passing untrusted inputs to VCS functions can permit an attacker to execute |
| arbitrary commands. |
| |
| The vcs package executes version control commands with user-provided arguments. |
| These arguments can be interpreted as command-line flags, which can be used to |
| perform command injection. |
| published: 2022-07-01T20:08:17Z |
| cves: |
| - CVE-2022-21235 |
| ghsas: |
| - GHSA-6635-c626-vj4r |
| credits: |
| - Alessio Della Libera of Snyk Research Team |
| references: |
| - fix: https://github.com/Masterminds/vcs/pull/105 |
| review_status: REVIEWED |