OS Command Injection in cookiecutter
Critical severity
GitHub Reviewed
Published
Jun 9, 2022
to the GitHub Advisory Database
•
Updated Nov 18, 2024
Description
Published by the National Vulnerability Database
Jun 8, 2022
Published to the GitHub Advisory Database
Jun 9, 2022
Reviewed
Jun 9, 2022
Last updated
Nov 18, 2024
The package cookiecutter before 2.1.1 is vulnerable to Command Injection via hg argument injection. When calling the cookiecutter function from Python code with the checkout parameter, it is passed to the hg checkout command in a way that additional flags can be set. The additional flags can be used to perform a command injection.
References