Lucene search

GoogleOSV:CVE-2023-40185

HistoryAug 23, 2023 - 9:15 p.m.

CVE-2023-40185

2023-08-2321:15:09

Google

osv.dev

shescape

windows

threaded

vulnerability

patched

CVSS3

8.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

AI Score

7.1

Confidence

Low

EPSS

0.001

Percentile

41.7%

JSON

shescape is simple shell escape library for JavaScript. This may impact users that use Shescape on Windows in a threaded context. The vulnerability can result in Shescape escaping (or quoting) for the wrong shell, thus allowing attackers to bypass protections depending on the combination of expected and used shell. This bug has been patched in version 1.7.4.

References

github.com/ericcornelissen/shescape/commit/0b976dab645abf45ffd85e74a8c6e51ee2f42d63

github.com/ericcornelissen/shescape/pull/1142

github.com/ericcornelissen/shescape/releases/tag/v1.7.4

github.com/ericcornelissen/shescape/security/advisories/GHSA-j55r-787p-m549

CVSS3

8.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

AI Score

7.1

Confidence

Low

EPSS

0.001

Percentile

41.7%

JSON

Related for OSV:CVE-2023-40185