x/vulndb: potential Go vuln in github.com/Masterminds/vcs: CVE-2022-21235

[GoVulnBot]

CVE-2022-21235 references github.com/Masterminds/vcs, which may be a Go module.

Description:
The package github.com/masterminds/vcs before 1.13.3 are vulnerable to Command Injection via argument injection. When hg is executed, argument strings are passed to hg in a way that additional flags can be set. The additional flags can be used to perform a command injection.

Links:

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-21235
• JSON: https://github.com/CVEProject/cvelist/tree/c9c24bfd00b10d77a5582617cf1af1624d9f3b57/2022/21xxx/CVE-2022-21235.json
• PR: Moar fixes Masterminds/vcs#105
• https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMMASTERMINDSVCS-2437078

See doc/triage.md for instructions on how to triage this report.

module: github.com/Masterminds/vcs
package: github.com/Masterminds/vcs
description: |+
    The package github.com/masterminds/vcs before 1.13.3 are vulnerable to Command Injection via argument injection. When hg is executed, argument strings are passed to hg in a way that additional flags can be set. The additional flags can be used to perform a command injection.

cves:
  - CVE-2022-21235
credit: Alessio Della Libera of Snyk Research Team
links:
    pr: https://github.com/Masterminds/vcs/pull/105
    context:
      - https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMMASTERMINDSVCS-2437078

[gopherbot]

Change https://go.dev/cl/414816 mentions this issue: x/vulndb: add reports/GO-2022-0414.yaml for CVE-2022-21235