CVE-2023-40185

Опубликовано: 23 авг. 2023

Источник: nvd

CVSS3: 6.5

CVSS3: 8.6

EPSS Низкий

Описание

shescape is simple shell escape library for JavaScript. This may impact users that use Shescape on Windows in a threaded context. The vulnerability can result in Shescape escaping (or quoting) for the wrong shell, thus allowing attackers to bypass protections depending on the combination of expected and used shell. This bug has been patched in version 1.7.4.

Ссылки

https://github.com/ericcornelissen/shescape/commit/0b976dab645abf45ffd85e74a8c6e51ee2f42d63
Patch
https://github.com/ericcornelissen/shescape/pull/1142
Patch
https://github.com/ericcornelissen/shescape/releases/tag/v1.7.4
Release Notes
https://github.com/ericcornelissen/shescape/security/advisories/GHSA-j55r-787p-m549
Exploit
Patch
Vendor Advisory
https://github.com/ericcornelissen/shescape/commit/0b976dab645abf45ffd85e74a8c6e51ee2f42d63
Patch
https://github.com/ericcornelissen/shescape/pull/1142
Patch
https://github.com/ericcornelissen/shescape/releases/tag/v1.7.4
Release Notes
https://github.com/ericcornelissen/shescape/security/advisories/GHSA-j55r-787p-m549
Exploit
Patch
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одновременно

cpe:2.3:a:shescape_project:shescape:*:*:*:*:*:node.js:*:*

Версия до 1.7.4 (исключая)

cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

EPSS

Процентиль: 24%

0.00084

Низкий

6.5 Medium

CVSS3

8.6 High

CVSS3

Дефекты

CWE-150

Связанные уязвимости

GHSA-j55r-787p-m549

CVSS3: 8.6

github

больше 2 лет назад

Shescape on Windows escaping may be bypassed in threaded context

EPSS

Процентиль: 24%

0.00084

Низкий

6.5 Medium

CVSS3

8.6 High

CVSS3

Дефекты

CWE-150