CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:H
AI Score
Confidence
High
EPSS
Percentile
9.8%
fish is a smart and user-friendly command line shell for macOS, Linux, and
the rest of the family. fish shell uses certain Unicode non-characters
internally for marking wildcards and expansions. It will incorrectly allow
these markers to be read on command substitution output, rather than
transforming them into a safe internal representation. While this may cause
unexpected behavior with direct input (for example, echo \UFDD2HOME has the
same output as echo $HOME), this may become a minor security problem if the
output is being fed from an external program into a command substitution
where this output may not be expected. This design flaw was introduced in
very early versions of fish, predating the version control system, and is
thought to be present in every version of fish released in the last 15
years or more, although with different characters. Code execution does not
appear to be possible, but denial of service (through large brace
expansion) or information disclosure (such as variable expansion) is
potentially possible under certain circumstances. fish shell 3.6.2 has been
released to correct this issue. Users are advised to upgrade. There are no
known workarounds for this vulnerability.
github.com/fish-shell/fish-shell/commit/09986f5563e31e2c900a606438f1d60d008f3a14
github.com/fish-shell/fish-shell/commit/09986f5563e31e2c900a606438f1d60d008f3a14 (3.6.2)
github.com/fish-shell/fish-shell/security/advisories/GHSA-2j9r-pm96-wp4f
launchpad.net/bugs/cve/CVE-2023-49284
nvd.nist.gov/vuln/detail/CVE-2023-49284
security-tracker.debian.org/tracker/CVE-2023-49284
www.cve.org/CVERecord?id=CVE-2023-49284