CVE-2022-21187

Name of the Vulnerable Software and Affected Versions libvcs versions prior to 0.11.1

Description The issue concerns Command Injection via argument injection. When the update repo function is called, specifically when using hg, the url parameter is passed to the hg clone command. This allows for the injection of hg options, potentially leading to arbitrary command execution.

Recommendations For versions prior to 0.11.1, update to version 0.11.1 or later to resolve the issue. As a temporary workaround, consider restricting the use of the update repo function when using hg until a patch is applied. Avoid using the url parameter in the affected function to minimize the risk of exploitation.