CVE-2022-24065

The package cookiecutter before 2.1.1 are vulnerable to Command Injection via hg argument injection. When calling the cookiecutter function from Python code with the checkout parameter, it is passed to the hg checkout command in a way that additional flags can be set. The additional flags can be used to perform a command injection.

Published: Jun 8, 2022
Updated: May 9, 2024
CVE: CVE-2022-24065
GHSA: GHSA-f4q6-9qm4-h8j4
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: High
Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

CWEs:

CWE-78
CWE-88

OWASP TOP 10:

A1 - Injection

Affected Software
References

Software	From	Fixed in
cookiecutter_project / cookiecutter	-	2.1.1
fedoraproject / fedora	35	35.x
fedoraproject / fedora	36	36.x
cookiecutter	-	2.1.1

https://github.com/cookiecutter/cookiecutter/commit/fdffddb31fd2b46344dfa317531ff155e7999f77
https://github.com/cookiecutter/cookiecutter/releases/tag/2.1.1
https://github.com/pypa/advisory-database/tree/main/vulns/cookiecutter/PYSEC-2022-204.yaml
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G5TXC4JYTNGOUFMCXPZ6QKWEZN3URTAK/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQKWT7SGFDCUPPLDIELTN7FVTHWDL5YK/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G5TXC4JYTNGOUFMCXPZ6QKWEZN3URTAK/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HQKWT7SGFDCUPPLDIELTN7FVTHWDL5YK/
https://snyk.io/vuln/SNYK-PYTHON-COOKIECUTTER-2414281

Vulnerability Database

CVE-2022-24065