Lucene search

@huntrdevCVELIST:CVE-2021-3769

HistoryNov 30, 2021 - 9:30 a.m.

CVE-2021-3769 OS Command Injection in ohmyzsh/ohmyzsh

2021-11-3009:30:18

CWE-78

@huntrdev

www.cve.org

command injection

ohmyzsh

pygmalion

pygmalion-virtualenv

refined

vulnerability

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

9.6

Confidence

High

EPSS

0.002

Percentile

61.2%

JSON

Vulnerability in `pygmalion`, `pygmalion-virtualenv` and `refined` themes Description: these themes use `print -P` on user-supplied strings to print them to the terminal. All of them do that on git information, particularly the branch name, so if the branch has a specially-crafted name the vulnerability can be exploited.Fixed in: b3ba9978.Impacted areas: - `pygmalion` theme. - `pygmalion-virtualenv` theme. - `refined` theme.

CNA Affected

[
  {
    "product": "ohmyzsh/ohmyzsh",
    "vendor": "ohmyzsh",
    "versions": [
      {
        "lessThan": "b3ba9978",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

References

github.com/ohmyzsh/ohmyzsh/commit/b3ba9978

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

9.6

Confidence

High

EPSS

0.002

Percentile

61.2%

JSON

Related for CVELIST:CVE-2021-3769