ghsa-446w-rrm4-r47f
Vulnerability from github
Impact
The issue allows for exposure of the home directory on Unix systems when using Bash with the escape or escapeAll functions from the shescape API with the interpolation option set to true. Other tested shells, Dash and Zsh, are not affected.
```javascript const cp = require("child_process"); const shescape = require("shescape");
const payload = "home_directory=~";
const options = { interpolation: true };
console.log(cp.execSync(echo ${shescape.escape(payload, options)}));
// home_directory=/home/user
```
Depending on how the output of shescape is used, directory traversal may be possible in the application using shescape.
Patches
The issue was patched in v1.5.1.
Workarounds
Manually escape all instances of the tilde character (~) using arg.replace(/~/g, "\\~").
References
See GitHub issue https://github.com/ericcornelissen/shescape/issues/169.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "shescape"
},
"ranges": [
{
"events": [
{
"introduced": "1.4.0"
},
{
"fixed": "1.5.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-24725"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-78"
],
"github_reviewed": true,
"github_reviewed_at": "2022-03-03T19:26:11Z",
"nvd_published_at": "2022-03-03T22:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nThe issue allows for exposure of the home directory on Unix systems when using Bash with the `escape` or `escapeAll` functions from the _shescape_ API with the `interpolation` option set to `true`. Other tested shells, Dash and Zsh, are not affected.\n\n```javascript\nconst cp = require(\"child_process\");\nconst shescape = require(\"shescape\");\n\nconst payload = \"home_directory=~\";\nconst options = { interpolation: true };\nconsole.log(cp.execSync(`echo ${shescape.escape(payload, options)}`));\n// home_directory=/home/user\n```\n\nDepending on how the output of _shescape_ is used, directory traversal may be possible in the application using _shescape_.\n\n### Patches\n\nThe issue was patched in `v1.5.1`.\n\n### Workarounds\n\nManually escape all instances of the tilde character (`~`) using `arg.replace(/~/g, \"\\\\~\")`.\n\n### References\n\nSee GitHub issue https://github.com/ericcornelissen/shescape/issues/169.\n",
"id": "GHSA-446w-rrm4-r47f",
"modified": "2022-03-18T20:06:07Z",
"published": "2022-03-03T19:26:11Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ericcornelissen/shescape/security/advisories/GHSA-446w-rrm4-r47f"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24725"
},
{
"type": "WEB",
"url": "https://github.com/ericcornelissen/shescape/issues/169"
},
{
"type": "WEB",
"url": "https://github.com/ericcornelissen/shescape/pull/170"
},
{
"type": "PACKAGE",
"url": "https://github.com/ericcornelissen/shescape"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Exposure of home directory through shescape on Unix with Bash"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.