{"url":"http://public2.vulnerablecode.io/api/packages/26969?format=json","purl":"pkg:pypi/libvcs@0.1.3","type":"pypi","namespace":"","name":"libvcs","version":"0.1.3","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"0.11.1","latest_non_vulnerable_version":"0.11.1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36057?format=json","vulnerability_id":"VCID-mjcd-sww8-auau","summary":"The package libvcs before 0.11.1 are vulnerable to Command Injection via argument injection. When calling the update_repo function (when using hg), the url parameter is passed to the hg clone command. By injecting some hg options it was possible to get arbitrary command execution.","references":[{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/libvcs/PYSEC-2022-163.yaml","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/libvcs/PYSEC-2022-163.yaml"},{"reference_url":"https://github.com/vcs-python/libvcs/blob/master/CHANGES#libvcs-0111-2022-03-12","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/vcs-python/libvcs/blob/master/CHANGES#libvcs-0111-2022-03-12"},{"reference_url":"https://github.com/vcs-python/libvcs/blob/v0.11.1/CHANGES%23libvcs-0111-2022-03-12","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/vcs-python/libvcs/blob/v0.11.1/CHANGES%23libvcs-0111-2022-03-12"},{"reference_url":"https://github.com/vcs-python/libvcs/pull/306","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/vcs-python/libvcs/pull/306"},{"reference_url":"https://github.com/vcs-python/vcspull/blob/master/CHANGES#vcspull-1111-2022-03-12","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/vcs-python/vcspull/blob/master/CHANGES#vcspull-1111-2022-03-12"},{"reference_url":"https://github.com/vcs-python/vcspull/commit/e1b77128a1fa0754625b5f43d8bc47956f21f33e","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/vcs-python/vcspull/commit/e1b77128a1fa0754625b5f43d8bc47956f21f33e"},{"reference_url":"https://snyk.io/vuln/SNYK-PYTHON-LIBVCS-2421204","reference_id":"","reference_type":"","scores":[],"url":"https://snyk.io/vuln/SNYK-PYTHON-LIBVCS-2421204"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-21187","reference_id":"CVE-2022-21187","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-21187"},{"reference_url":"https://github.com/advisories/GHSA-mv2w-4jqc-6fg4","reference_id":"GHSA-mv2w-4jqc-6fg4","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-mv2w-4jqc-6fg4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/26999?format=json","purl":"pkg:pypi/libvcs@0.11.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/libvcs@0.11.1"}],"aliases":["CVE-2022-21187","GHSA-mv2w-4jqc-6fg4","PYSEC-2022-163","SNYK-PYTHON-LIBVCS-2421204"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mjcd-sww8-auau"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/libvcs@0.1.3"}