Bug 2215317 (CVE-2022-21235) - CVE-2022-21235 github.com/Masterminds/vcs: Command Injection via argument injection
Summary: CVE-2022-21235 github.com/Masterminds/vcs: Command Injection via argument inj...
Keywords:
Status: NEW
Alias: CVE-2022-21235
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2215329 2215332 2215479 2215480 2215481 2215482 2215483 2215484 2215485 2215486 2215487 2215488 2215489 2215490 2215491 2215492 2215493 2216406 2217526
Blocks: 2215338
TreeView+ depends on / blocked
 
Reported: 2023-06-15 14:09 UTC by Marian Rehak
Modified: 2024-01-18 22:24 UTC (History)
62 users (show)

Fixed In Version: github.com/masterminds/vcs 1.13.3
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the VCS package, caused by improper validation of user-supplied input. By using a specially-crafted argument, a remote attacker could execute arbitrary commands on the system.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:4053 0 None None None 2023-07-19 01:16:27 UTC
Red Hat Product Errata RHSA-2023:4582 0 None None None 2023-08-16 00:19:51 UTC
Red Hat Product Errata RHSA-2023:4694 0 None None None 2023-08-22 00:09:43 UTC

Description Marian Rehak 2023-06-15 14:09:08 UTC 
The package github.com/masterminds/vcs before 1.13.3 are vulnerable to Command Injection via argument injection. When hg is executed, argument strings are passed to hg in a way that additional flags can be set. The additional flags can be used to perform a command injection.

Reference:

https://github.com/Masterminds/vcs/pull/105
https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMMASTERMINDSVCS-2437078
Comment 1 Marian Rehak 2023-06-15 14:46:06 UTC 
Created golang-github-Masterminds-vcs tracking bugs for this issue:

Affects: epel-7 [bug 2215329]
Comment 2 Marian Rehak 2023-06-15 14:50:03 UTC 
Created glide tracking bugs for this issue:

Affects: epel-7 [bug 2215332]
Comment 13 errata-xmlrpc 2023-07-19 01:16:24 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11

Via RHSA-2023:4053 https://access.redhat.com/errata/RHSA-2023:4053
Comment 14 sakshi 2023-07-21 00:49:03 UTC 
The customer has an openshift environment (uses CoreOS and inplace Ceph) and just completed the environment upgrade to 4.10.59. On the standalone servers, the customer is running either RHEL8.8 or RHEL7.9.

The customer is impacted by vulnerability `CVE-2022-21235` and this bug .The customer wants to know when this bug will be fixed. Kindly assist.
Comment 15 sakshi 2023-07-24 07:29:23 UTC 
Hi Team, Any timeline when this issue will be fixed?
Comment 16 sakshi 2023-07-31 01:31:33 UTC 
Hi Team, Customer wants to know the timeline for when this issue will be fixed. Kindly assist. Thanks!
Comment 19 errata-xmlrpc 2023-08-16 00:19:48 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 17.1

Via RHSA-2023:4582 https://access.redhat.com/errata/RHSA-2023:4582
Comment 20 sakshi 2023-08-21 06:37:52 UTC 
Hi Team, Customer uses CoreOS and in place Ceph) and just completed the environment upgrade to 4.10.59. On the standalone servers, the customer is running either RHEL8.8 or RHEL7.9.

The customer is impacted by vulnerability `CVE-2022-21235` and this bug. The customer wants to know when this bug will be fixed. The customer is waiting for the feedback for long time. Please assist.
Comment 21 errata-xmlrpc 2023-08-22 00:09:39 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2023:4694 https://access.redhat.com/errata/RHSA-2023:4694
Note You need to log in before you can comment on or make changes to this bug.