CVE-2023-40185

2023-08-2321:15:09

CWE-150

[email protected]

web.nvd.nist.gov

cve-2023-40185

shescape

shell escape

vulnerability

javascript

windows

patch

CVSS3

8.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

AI Score

7.1

Confidence

High

EPSS

0.001

Percentile

41.7%

JSON

shescape is simple shell escape library for JavaScript. This may impact users that use Shescape on Windows in a threaded context. The vulnerability can result in Shescape escaping (or quoting) for the wrong shell, thus allowing attackers to bypass protections depending on the combination of expected and used shell. This bug has been patched in version 1.7.4.

Affected configurations

Nvd

Node

shescape_projectshescapeRange<1.7.4node.js

AND

microsoftwindowsMatch-

VendorProductVersionCPE
shescape_projectshescape*cpe:2.3:a:shescape_project:shescape:*:*:*:*:*:node.js:*:*
microsoftwindows-cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*