GHSA-446W-RRM4-R47F

Vulnerability from github – Published: 2022-03-03 19:26 – Updated: 2022-03-18 20:06
VLAI?
Summary
Exposure of home directory through shescape on Unix with Bash
Details

Impact

The issue allows for exposure of the home directory on Unix systems when using Bash with the escape or escapeAll functions from the shescape API with the interpolation option set to true. Other tested shells, Dash and Zsh, are not affected.

const cp = require("child_process");
const shescape = require("shescape");

const payload = "home_directory=~";
const options = { interpolation: true };
console.log(cp.execSync(`echo ${shescape.escape(payload, options)}`));
// home_directory=/home/user

Depending on how the output of shescape is used, directory traversal may be possible in the application using shescape.

Patches

The issue was patched in v1.5.1.

Workarounds

Manually escape all instances of the tilde character (~) using arg.replace(/~/g, "\\~").

References

See GitHub issue https://github.com/ericcornelissen/shescape/issues/169.

Severity ?
5.5 (Medium)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "shescape"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.4.0"
            },
            {
              "fixed": "1.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-24725"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-78"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-03-03T19:26:11Z",
    "nvd_published_at": "2022-03-03T22:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nThe issue allows for exposure of the home directory on Unix systems when using Bash with the `escape` or `escapeAll` functions from the _shescape_ API with the `interpolation` option set to `true`. Other tested shells, Dash and Zsh, are not affected.\n\n```javascript\nconst cp = require(\"child_process\");\nconst shescape = require(\"shescape\");\n\nconst payload = \"home_directory=~\";\nconst options = { interpolation: true };\nconsole.log(cp.execSync(`echo ${shescape.escape(payload, options)}`));\n// home_directory=/home/user\n```\n\nDepending on how the output of _shescape_ is used, directory traversal may be possible in the application using _shescape_.\n\n### Patches\n\nThe issue was patched in `v1.5.1`.\n\n### Workarounds\n\nManually escape all instances of the tilde character (`~`) using `arg.replace(/~/g, \"\\\\~\")`.\n\n### References\n\nSee GitHub issue https://github.com/ericcornelissen/shescape/issues/169.\n",
  "id": "GHSA-446w-rrm4-r47f",
  "modified": "2022-03-18T20:06:07Z",
  "published": "2022-03-03T19:26:11Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ericcornelissen/shescape/security/advisories/GHSA-446w-rrm4-r47f"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24725"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ericcornelissen/shescape/issues/169"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ericcornelissen/shescape/pull/170"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ericcornelissen/shescape"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Exposure of home directory through shescape on Unix with Bash"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.