Headline
CVE-2022-24065: Command Injection in cookiecutter | CVE-2022-24065 | Snyk
The package cookiecutter before 2.1.1 are vulnerable to Command Injection via hg argument injection. When calling the cookiecutter function from Python code with the checkout parameter, it is passed to the hg checkout command in a way that additional flags can be set. The additional flags can be used to perform a command injection.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications
snyk-id
SNYK-PYTHON-COOKIECUTTER-2414281
published
2 Jun 2022
disclosed
2 Mar 2022
credit
Alessio Della Libera of Snyk Research Team
How to fix?
Upgrade cookiecutter to version 2.1.1 or higher.
Overview
cookiecutter is a command-line utility that creates projects from cookiecutters.
Affected versions of this package are vulnerable to Command Injection via hg argument injection. When calling the cookiecutter function from Python code with the checkout parameter, it is passed to the hg checkout command in a way that additional flags can be set. The additional flags can be used to perform a command injection.
PoC
from cookiecutter.main import cookiecutter
checkout = "--config=alias.checkout=!touch ./HELLO"
cookiecutter('some valid hg repository', checkout=checkout)Related news
The package cookiecutter before 2.1.1 is vulnerable to Command Injection via hg argument injection. When calling the cookiecutter function from Python code with the checkout parameter, it is passed to the hg checkout command in a way that additional flags can be set. The additional flags can be used to perform a command injection.