Lucene search

K

GoogleOSV:CVE-2022-24065

HistoryJun 08, 2022 - 8:15 a.m.

CVE-2022-24065

2022-06-0808:15:07

Google

osv.dev

8

cookiecutter

command injection

python

AI Score

9.9

Confidence

High

EPSS

0.01

Percentile

84.1%

The package cookiecutter before 2.1.1 are vulnerable to Command Injection via hg argument injection. When calling the cookiecutter function from Python code with the checkout parameter, it is passed to the hg checkout command in a way that additional flags can be set. The additional flags can be used to perform a command injection.

References

github.com/cookiecutter/cookiecutter/commit/fdffddb31fd2b46344dfa317531ff155e7999f77

github.com/cookiecutter/cookiecutter/releases/tag/2.1.1

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G5TXC4JYTNGOUFMCXPZ6QKWEZN3URTAK/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HQKWT7SGFDCUPPLDIELTN7FVTHWDL5YK/

snyk.io/vuln/SNYK-PYTHON-COOKIECUTTER-2414281

AI Score

9.9

Confidence

High

EPSS

0.01

Percentile

84.1%

Related for OSV:CVE-2022-24065

openvas3 github1 cvelist1 debiancve1 veracode1 fedora2 osv2 cve1 mageia1 ubuntucve1 prion1 nvd1