CVE-2022-21235

Name of the Vulnerable Software and Affected Versions github.com/masterminds/vcs versions prior to 1.13.3

Description The issue concerns command injection via argument injection. When hg is executed, argument strings are passed in a way that allows additional flags to be set, which can be used for command injection. This can occur when URLs and local file paths passed to the Mercurial (hg) APIs are specially crafted to contain commands. The vcs package uses the underlying version control system, in this case hg, and other version control systems with an implemented interface may also be vulnerable. Passing untrusted inputs to VCS functions can permit an attacker to execute arbitrary commands.

Recommendations For versions prior to 1.13.3, update to version 1.13.3 or later to resolve the issue. As a temporary workaround, consider sanitizing data passed to the vcs package APIs to ensure it does not contain commands or unexpected data, especially for user input data that is passed directly to the package APIs.