Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2022-42906

Good to know:

icon

Date: October 12, 2022

powerline-gitstatus (aka Powerline Gitstatus) before 1.3.2 allows arbitrary code execution. git repositories can contain per-repository configuration that changes the behavior of git, including running arbitrary commands. When using powerline-gitstatus, changing to a directory automatically runs git commands in order to display information about the current repository in the prompt. If an attacker can convince a user to change their current directory to one controlled by the attacker, such as in a shared filesystem or extracted archive, powerline-gitstatus will run arbitrary commands under the attacker's control. NOTE: this is similar to CVE-2022-20001.

Language: Python

Severity Score

Related Resources (8)

https://github.com/jaspernbrouwer/powerline-gitstatus/issues/45
https://github.com/jaspernbrouwer/powerline-gitstatus
https://nvd.nist.gov/vuln/detail/CVE-2022-42906
https://github.com/jaspernbrouwer/powerline-gitstatus/commit/fe8e963b3489e4cceaa2c1f26f2bcc2ef405364c
https://security-tracker.debian.org/tracker/CVE-2022-42906
https://lists.debian.org/debian-lts-announce/2023/01/msg00017.html
https://github.com/jaspernbrouwer/powerline-gitstatus/releases/tag/v1.3.2
https://www.mend.io/vulnerability-database/CVE-2022-42906

Severity Score

Weakness Type (CWE)

Improper Neutralization of Special Elements used in a Command ('Command Injection')

CWE-77

Improper Control of Generation of Code ('Code Injection')

CWE-94

CVSS v3.1

Base Score:
Attack Vector (AV): LOCAL
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality (C): HIGH
Integrity (I): HIGH
Availability (A): HIGH

Do you need more information?

Contact Us