GHSA-f2rp-38vg-j3gh

Опубликовано: 18 мар. 2021

Источник: github

Github: Прошло ревью

CVSS3: 6.3

Описание

Null characters not escaped

Impact

Anyone using Shescape to defend against shell injection may still be vulnerable against shell injection if the attacker manages to insert a null character into the payload. For example (on Windows):

const cp = require("child_process"); const shescape = require("shescape"); const nullChar = String.fromCharCode(0); const payload = "foo\" && ls -al ${nullChar} && echo \"bar"; console.log(cp.execSync(`echo ${shescape.quote(payload)}`)); // foototal 3 // drwxr-xr-x 1 owner XXXXXX 0 Mar 13 18:44 . // drwxr-xr-x 1 owner XXXXXX 0 Mar 13 00:09 .. // drwxr-xr-x 1 owner XXXXXX 0 Mar 13 18:42 folder // -rw-r--r-- 1 owner XXXXXX 0 Mar 13 18:42 file

Patches

The problem has been patched in v1.1.3 which you can upgrade to now. No further changes are required.

Workarounds

Alternatively, null characters can be stripped out manually using e.g. arg.replace(/\u{0}/gu, "")

Ссылки

Пакеты

Наименование

shescape

npm

Затронутые версииВерсия исправления

< 1.1.3

1.1.3

EPSS

Процентиль: 38%

0.00165

Низкий

6.3 Medium

CVSS3

CVE ID

CVE-2021-21384

Дефекты

CWE-88

Связанные уязвимости

CVE-2021-21384

CVSS3: 6.3

nvd

почти 5 лет назад

shescape is a simple shell escape package for JavaScript. In shescape before version 1.1.3, anyone using _Shescape_ to defend against shell injection may still be vulnerable against shell injection if the attacker manages to insert a into the payload. For an example see the referenced GitHub Security Advisory. The problem has been patched in version 1.1.3. No further changes are required.

EPSS

Процентиль: 38%

0.00165

Низкий

6.3 Medium

CVSS3

CVE ID

CVE-2021-21384

Дефекты

CWE-88