docs(CHANGES): Detail CVE-2022-21187 for 0.11.1

vcs-python · Mar 14, 2022 · 51bcdda · 51bcdda
1 parent 9f9626b
commit 51bcdda
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/CHANGES b/CHANGES
@@ -6,12 +6,18 @@
 
 ## libvcs 0.11.1 (2022-03-12)
 
-### Potential command injection via mercurial URLs
+### CVE-2022-21187: Command Injection with mercurial repositories
 
 - By setting a mercurial URL with an alias it is possible to execute arbitrary shell commands via
   `.obtain()` or in the case of uncloned destinations, `.update_repo()`. (#306, credit: Alessio
   Della Libera)
 
+  See also:
+
+  - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21187,
+    https://nvd.nist.gov/vuln/detail/CVE-2022-21187
+  - https://security.snyk.io/vuln/SNYK-PYTHON-LIBVCS-2421204
+
 ### Development
 
 - Run pyupgrade formatting (#305)