Описание
The package github.com/masterminds/vcs before 1.13.3 are vulnerable to Command Injection via argument injection. When hg is executed, argument strings are passed to hg in a way that additional flags can be set. The additional flags can be used to perform a command injection.
A flaw was found in the VCS package, caused by improper validation of user-supplied input. By using a specially-crafted argument, a remote attacker could execute arbitrary commands on the system.
Отчет
In Red Hat OpenStack, the 'github.com/Masterminds/vcs' is a transitive dependency and is not used by operators directly which reduces the chances for successful exploitation. Hence, the impact for OpenStack is reduced to moderate.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| OpenShift Developer Tools and Services | helm | Not affected | ||
| OpenShift Serverless | openshift-serverless-1/ingress-rhel8-operator | Affected | ||
| OpenShift Serverless | openshift-serverless-1/knative-rhel8-operator | Affected | ||
| OpenShift Serverless | openshift-serverless-1/serverless-rhel8-operator | Affected | ||
| Red Hat 3scale API Management Platform 2 | github-Masterminds-vcs | Not affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | acm-multicluster-globalhub-agent-container | Not affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | acm-multicluster-globalhub-manager-container | Not affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | acm-multicluster-globalhub-operator-bundle-container | Not affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | acm-multicluster-globalhub-operator-container | Not affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/acm-cluster-proxy-rhel8 | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
9.8 Critical
CVSS3
Связанные уязвимости
The package github.com/masterminds/vcs before 1.13.3 are vulnerable to Command Injection via argument injection. When hg is executed, argument strings are passed to hg in a way that additional flags can be set. The additional flags can be used to perform a command injection.
Command Injection Vulnerability with Mercurial in VCS
EPSS
9.8 Critical
CVSS3