CVE-2022-24065

Name of the Vulnerable Software and Affected Versions cookiecutter versions prior to 2.1.1

Description The issue concerns Command Injection via hg argument injection. When the cookiecutter function is called from Python code with the checkout parameter, it is passed to the hg checkout command in a way that allows additional flags to be set. These additional flags can be used to perform a command injection.

Recommendations For versions prior to 2.1.1, update to version 2.1.1 or later to resolve the issue. As a temporary workaround, consider restricting the use of the checkout parameter when calling the cookiecutter function from Python code to minimize the risk of exploitation.