CVE-2022-21187
Command injection in libvcs and vcspull
8.1
HIGH
CVSS 3.1
EPSS 1.3%
Description
The package libvcs before 0.11.1 are vulnerable to Command Injection via argument injection. When calling the update_repo function (when using hg), the url parameter is passed to the hg clone command. By injecting some hg options it was possible to get arbitrary command execution.
How to fix CVE-2022-21187
To remediate CVE-2022-21187, upgrade the affected package to a fixed version below.
- —upgrade to 0.11.1 or later
- —upgrade to 0.11.1 or later
- —upgrade to 1.11.1 or later
Is CVE-2022-21187 being exploited?
Low — EPSS is 1.3%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0, < 0.11.1
- from 0, < 0.11.1
- from 0, < 1.11.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | HIGH8.1 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |