Lucene search
MitreCVELIST:CVE-2021-42740HistoryOct 21, 2021 - 2:46 p.m.
CVE-2021-42740
2021-10-2114:46:08
mitre
www.cve.org
The shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command with exec(), an attacker can inject arbitrary commands. This is because the Windows drive letter regex character class is {A-z] instead of the correct {A-Za-z]. Several shell metacharacters exist in the space between capital letter Z and lower case letter a, such as the backtick character.
Related
nvd
nvd
CVE-2021-42740
2021-10-21 15:15:07
cve
cve
CVE-2021-42740
2021-10-21 15:15:07
osv
osv
Improper Neutralization of Special Elements used in a Command in Shell-quote
2022-05-24 19:18:27
veracode
veracode
Command Injection
2021-10-22 03:55:20
ubuntucve
ubuntucve
CVE-2021-42740
2021-10-21 00:00:00
ibm
ibm
github
github
Improper Neutralization of Special Elements used in a Command in Shell-quote
2022-05-24 19:18:27
prion
prion
Command injection
2021-10-21 15:15:00
debiancve
debiancve
CVE-2021-42740
2021-10-21 15:15:07
nessus
nessus