Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2022-24065

Good to know:

icon
icon

Date: June 8, 2022

The package cookiecutter before 2.1.1 are vulnerable to Command Injection via hg argument injection. When calling the cookiecutter function from Python code with the checkout parameter, it is passed to the hg checkout command in a way that additional flags can be set. The additional flags can be used to perform a command injection.

Language: Python

Severity Score

Related Resources (7)

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G5TXC4JYTNGOUFMCXPZ6QKWEZN3URTAK/
https://github.com/cookiecutter/cookiecutter/releases/tag/2.1.1
https://security-tracker.debian.org/tracker/CVE-2022-24065
https://nvd.nist.gov/vuln/detail/CVE-2022-24065
https://github.com/cookiecutter/cookiecutter/commit/fdffddb31fd2b46344dfa317531ff155e7999f77
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQKWT7SGFDCUPPLDIELTN7FVTHWDL5YK/
https://www.mend.io/vulnerability-database/CVE-2022-24065

Severity Score

Weakness Type (CWE)

Argument Injection or Modification

CWE-88

OS Command Injections

CWE-78

Top Fix

icon

Upgrade Version

Upgrade to version cookiecutter - 2.1.1

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): HIGH
Integrity (I): HIGH
Availability (A): HIGH

CVSS v2

Base Score:
Access Vector (AV): NETWORK
Access Complexity (AC): LOW
Authentication (AU): NONE
Confidentiality (C): PARTIAL
Integrity (I): PARTIAL
Availability (A): PARTIAL
Additional information:

Do you need more information?

Contact Us