blob: 0624e614c2bb251a621bfb83a0a7b60d06375650 [file] [log] [blame]
id: GO-2022-0414
modules:
- module: github.com/Masterminds/vcs
versions:
- fixed: 1.13.3
vulnerable_at: 1.13.1
packages:
- package: github.com/Masterminds/vcs
symbols:
- BzrRepo.Get
- BzrRepo.Init
- BzrRepo.Ping
- BzrRepo.ExportDir
- GitRepo.Get
- GitRepo.Init
- GitRepo.Update
- HgRepo.Get
- HgRepo.Init
- HgRepo.Ping
- HgRepo.ExportDir
- NewSvnRepo
- SvnRepo.Get
- SvnRepo.Ping
- SvnRepo.ExportDir
derived_symbols:
- NewRepo
summary: Command injection in github.com/Masterminds/vcs
description: |-
Passing untrusted inputs to VCS functions can permit an attacker to execute
arbitrary commands.
The vcs package executes version control commands with user-provided arguments.
These arguments can be interpreted as command-line flags, which can be used to
perform command injection.
published: 2022-07-01T20:08:17Z
cves:
- CVE-2022-21235
ghsas:
- GHSA-6635-c626-vj4r
credits:
- Alessio Della Libera of Snyk Research Team
references:
- fix: https://github.com/Masterminds/vcs/pull/105
review_status: REVIEWED