{"id":"PYSEC-2022-163","details":"The package libvcs before 0.11.1 are vulnerable to Command Injection via argument injection. When calling the update_repo function (when using hg), the url parameter is passed to the hg clone command. By injecting some hg options it was possible to get arbitrary command execution.","aliases":["CVE-2022-21187","GHSA-mv2w-4jqc-6fg4","SNYK-PYTHON-LIBVCS-2421204"],"modified":"2023-11-08T04:08:04.530929Z","published":"2022-03-14T18:15:00Z","references":[{"type":"WEB","url":"https://github.com/vcs-python/libvcs/pull/306"},{"type":"WEB","url":"https://github.com/vcs-python/libvcs/blob/v0.11.1/CHANGES%23libvcs-0111-2022-03-12"},{"type":"ADVISORY","url":"https://snyk.io/vuln/SNYK-PYTHON-LIBVCS-2421204"}],"affected":[{"package":{"name":"libvcs","ecosystem":"PyPI","purl":"pkg:pypi/libvcs"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.11.1"}]}],"versions":["0.1.2","0.1.3","0.1.4","0.1.5","0.1.6","0.1.7","0.10.0","0.10.1","0.11.0","0.2.0","0.2.1","0.2.2","0.2.3","0.3.0","0.3.1","0.3.1.post1","0.3.2","0.3.3","0.4.0","0.4.0rc1","0.4.0rc2","0.4.1","0.4.2","0.4.3","0.4.4","0.5.0","0.5.0a1","0.5.0a2","0.9.0","0.9.0a1","0.9.0a2"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/libvcs/PYSEC-2022-163.yaml"}}],"schema_version":"1.7.3"}