{"id":"GHSA-4v3r-hqr9-69jf","summary":"Command Injection in Nuitka","details":"Nuitka 0.8.4 and prior is vulnerable to command injection. A patch is available and anticipated to be part of the `0.9` release.","aliases":["CVE-2022-2054","PYSEC-2022-209"],"modified":"2026-02-22T22:56:08.391489Z","published":"2022-06-13T00:00:18Z","database_specific":{"severity":"HIGH","github_reviewed_at":"2022-06-23T06:44:17Z","nvd_published_at":"2022-06-12T14:15:00Z","cwe_ids":["CWE-77","CWE-94"],"github_reviewed":true},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-2054"},{"type":"WEB","url":"https://github.com/Nuitka/Nuitka/commit/1765ffce2a9ab859853210337390de242cd80712"},{"type":"WEB","url":"https://github.com/nuitka/nuitka/commit/09647745d7cbb6ff32f9fa948f19d5558b32bcad"},{"type":"PACKAGE","url":"https://github.com/nuitka/nuitka"},{"type":"WEB","url":"https://github.com/pypa/advisory-database/tree/main/vulns/nuitka/PYSEC-2022-209.yaml"},{"type":"WEB","url":"https://huntr.dev/bounties/ea4a842c-c48c-4aae-a599-3305125c63a7"}],"affected":[{"package":{"name":"nuitka","ecosystem":"PyPI","purl":"pkg:pypi/nuitka"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.9"}]}],"versions":["0.4.0","0.4.1","0.4.2","0.4.3","0.4.4","0.4.4.1","0.4.4.2","0.4.5","0.4.5.1","0.4.5.2","0.4.5.3","0.4.6","0.4.6.1","0.4.6.2","0.4.7","0.4.7.1","0.4.7.2","0.5.0.1","0.5.1","0.5.1.1","0.5.1.5","0.5.1.6","0.5.10","0.5.10.1","0.5.10.2","0.5.11","0.5.11.1","0.5.11.2","0.5.12","0.5.12.1","0.5.12.2","0.5.13","0.5.13.1","0.5.13.2","0.5.13.3","0.5.13.4","0.5.13.6","0.5.13.7","0.5.13.8","0.5.14","0.5.14.1","0.5.14.2","0.5.14.3","0.5.15","0.5.16","0.5.16.1","0.5.19","0.5.2","0.5.2.1","0.5.20","0.5.22","0.5.23.1","0.5.24.1","0.5.24.4","0.5.25","0.5.26","0.5.27","0.5.28","0.5.28.1","0.5.29","0.5.29.1","0.5.29.2","0.5.29.3","0.5.29.4","0.5.29.5","0.5.3.2","0.5.3.3","0.5.3.4","0.5.3.5","0.5.30","0.5.31","0.5.32","0.5.32.1","0.5.32.2","0.5.32.3","0.5.32.4","0.5.32.5","0.5.32.6","0.5.32.7","0.5.32.8","0.5.33","0.5.4","0.5.4.1","0.5.4.2","0.5.4.3","0.5.5","0.5.5.1","0.5.5.2","0.5.5.3","0.5.6.1","0.5.7","0.5.7.1","0.5.8","0.5.9","0.6.0","0.6.0.1","0.6.0.2","0.6.0.3","0.6.0.4","0.6.0.5","0.6.0.6","0.6.1","0.6.1.1","0.6.10","0.6.10.1","0.6.10.2","0.6.10.3","0.6.10.4","0.6.10.5","0.6.11","0.6.11.1","0.6.11.2","0.6.11.3","0.6.11.4","0.6.11.5","0.6.11.6","0.6.12","0.6.12.1","0.6.12.2","0.6.12.3","0.6.12.4","0.6.13","0.6.13.1","0.6.13.2","0.6.13.3","0.6.14","0.6.14.1","0.6.14.2","0.6.14.3","0.6.14.4","0.6.14.6","0.6.14.7","0.6.15","0.6.15.1","0.6.15.3","0.6.16","0.6.16.1","0.6.16.2","0.6.16.3","0.6.16.4","0.6.17","0.6.17.1","0.6.17.2","0.6.17.3","0.6.17.4","0.6.17.5","0.6.17.6","0.6.17.7","0.6.18","0.6.18.1","0.6.18.2","0.6.18.3","0.6.18.4","0.6.18.5","0.6.18.6","0.6.19","0.6.19.1","0.6.19.2","0.6.19.3","0.6.19.4","0.6.19.5","0.6.19.6","0.6.19.7","0.6.2","0.6.3","0.6.3.1","0.6.4","0.6.5","0.6.6","0.6.7","0.6.8","0.6.8.1","0.6.8.2","0.6.8.3","0.6.8.4","0.6.9.1","0.6.9.2","0.6.9.3","0.6.9.4","0.6.9.6","0.7","0.7.1","0.7.2","0.7.3","0.7.4","0.7.5","0.7.6","0.7.7","0.8","0.8.1","0.8.2","0.8.3","0.8.4"],"database_specific":{"last_known_affected_version_range":"\u003c= 0.8.4","source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-4v3r-hqr9-69jf/GHSA-4v3r-hqr9-69jf.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"type":"CVSS_V4","score":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}]}