Vulnerability-Lookup

CVE-2022-31180 (GCVE-0-2022-31180)

Vulnerability from cvelistv5 – Published: 2022-08-01 19:15 – Updated: 2025-04-22 17:46

Title

Insufficient escaping of whitespace in shescape

Summary

Shescape is a simple shell escape package for JavaScript. Affected versions were found to have insufficient escaping of white space when interpolating output. This issue only impacts users that use the `escape` or `escapeAll` functions with the `interpolation` option set to `true`. The result is that if an attacker is able to include whitespace in their input they can: 1. Invoke shell-specific behaviour through shell-specific special characters inserted directly after whitespace. 2. Invoke shell-specific behaviour through shell-specific special characters inserted or appearing after line terminating characters. 3. Invoke arbitrary commands by inserting a line feed character. 4. Invoke arbitrary commands by inserting a carriage return character. Behaviour number 1 has been patched in [v1.5.7] which you can upgrade to now. No further changes are required. Behaviour number 2, 3, and 4 have been patched in [v1.5.8] which you can upgrade to now. No further changes are required. The best workaround is to avoid having to use the `interpolation: true` option - in most cases using an alternative is possible, see [the recipes](https://github.com/ericcornelissen/shescape#recipes) for recommendations. Alternatively, users may strip all whitespace from user input. Note that this is error prone, for example: for PowerShell this requires stripping `'\u0085'` which is not included in JavaScript's definition of `\s` for Regular Expressions.

Severity ?

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/ericcornelissen/shescape/secur…	x_refsource_CONFIRM
	https://github.com/ericcornelissen/shescape/pull/322	x_refsource_MISC
	https://github.com/ericcornelissen/shescape/pull/324	x_refsource_MISC
	https://github.com/ericcornelissen/shescape/relea…	x_refsource_MISC
	https://github.com/ericcornelissen/shescape/relea…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	ericcornelissen	shescape	Affected: >=1.4.0 < 1.5.8

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T07:11:39.625Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/ericcornelissen/shescape/security/advisories/GHSA-44vr-rwwj-p88h"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/ericcornelissen/shescape/pull/322"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/ericcornelissen/shescape/pull/324"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/ericcornelissen/shescape/releases/tag/v1.5.7"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/ericcornelissen/shescape/releases/tag/v1.5.8"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-31180",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-22T15:37:14.335356Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-22T17:46:22.040Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "shescape",
          "vendor": "ericcornelissen",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e=1.4.0 \u003c 1.5.8"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Shescape is a simple shell escape package for JavaScript. Affected versions were found to have insufficient escaping of white space when interpolating output. This issue only impacts users that use the `escape` or `escapeAll` functions with the `interpolation` option set to `true`. The result is that if an attacker is able to include whitespace in their input they can: 1. Invoke shell-specific behaviour through shell-specific special characters inserted directly after whitespace. 2. Invoke shell-specific behaviour through shell-specific special characters inserted or appearing after line terminating characters. 3. Invoke arbitrary commands by inserting a line feed character. 4. Invoke arbitrary commands by inserting a carriage return character. Behaviour number 1 has been patched in [v1.5.7] which you can upgrade to now. No further changes are required. Behaviour number 2, 3, and 4 have been patched in [v1.5.8] which you can upgrade to now. No further changes are required. The best workaround is to avoid having to use the `interpolation: true` option - in most cases using an alternative is possible, see [the recipes](https://github.com/ericcornelissen/shescape#recipes) for recommendations. Alternatively, users may strip all whitespace from user input. Note that this is error prone, for example: for PowerShell this requires stripping `\u0027\\u0085\u0027` which is not included in JavaScript\u0027s definition of `\\s` for Regular Expressions."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-74",
              "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-08-01T19:15:16.000Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/ericcornelissen/shescape/security/advisories/GHSA-44vr-rwwj-p88h"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/ericcornelissen/shescape/pull/322"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/ericcornelissen/shescape/pull/324"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/ericcornelissen/shescape/releases/tag/v1.5.7"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/ericcornelissen/shescape/releases/tag/v1.5.8"
        }
      ],
      "source": {
        "advisory": "GHSA-44vr-rwwj-p88h",
        "discovery": "UNKNOWN"
      },
      "title": "Insufficient escaping of whitespace in shescape",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2022-31180",
          "STATE": "PUBLIC",
          "TITLE": "Insufficient escaping of whitespace in shescape"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "shescape",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003e=1.4.0 \u003c 1.5.8"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "ericcornelissen"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Shescape is a simple shell escape package for JavaScript. Affected versions were found to have insufficient escaping of white space when interpolating output. This issue only impacts users that use the `escape` or `escapeAll` functions with the `interpolation` option set to `true`. The result is that if an attacker is able to include whitespace in their input they can: 1. Invoke shell-specific behaviour through shell-specific special characters inserted directly after whitespace. 2. Invoke shell-specific behaviour through shell-specific special characters inserted or appearing after line terminating characters. 3. Invoke arbitrary commands by inserting a line feed character. 4. Invoke arbitrary commands by inserting a carriage return character. Behaviour number 1 has been patched in [v1.5.7] which you can upgrade to now. No further changes are required. Behaviour number 2, 3, and 4 have been patched in [v1.5.8] which you can upgrade to now. No further changes are required. The best workaround is to avoid having to use the `interpolation: true` option - in most cases using an alternative is possible, see [the recipes](https://github.com/ericcornelissen/shescape#recipes) for recommendations. Alternatively, users may strip all whitespace from user input. Note that this is error prone, for example: for PowerShell this requires stripping `\u0027\\u0085\u0027` which is not included in JavaScript\u0027s definition of `\\s` for Regular Expressions."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/ericcornelissen/shescape/security/advisories/GHSA-44vr-rwwj-p88h",
              "refsource": "CONFIRM",
              "url": "https://github.com/ericcornelissen/shescape/security/advisories/GHSA-44vr-rwwj-p88h"
            },
            {
              "name": "https://github.com/ericcornelissen/shescape/pull/322",
              "refsource": "MISC",
              "url": "https://github.com/ericcornelissen/shescape/pull/322"
            },
            {
              "name": "https://github.com/ericcornelissen/shescape/pull/324",
              "refsource": "MISC",
              "url": "https://github.com/ericcornelissen/shescape/pull/324"
            },
            {
              "name": "https://github.com/ericcornelissen/shescape/releases/tag/v1.5.7",
              "refsource": "MISC",
              "url": "https://github.com/ericcornelissen/shescape/releases/tag/v1.5.7"
            },
            {
              "name": "https://github.com/ericcornelissen/shescape/releases/tag/v1.5.8",
              "refsource": "MISC",
              "url": "https://github.com/ericcornelissen/shescape/releases/tag/v1.5.8"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-44vr-rwwj-p88h",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2022-31180",
    "datePublished": "2022-08-01T19:15:16.000Z",
    "dateReserved": "2022-05-18T00:00:00.000Z",
    "dateUpdated": "2025-04-22T17:46:22.040Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/ericcornelissen/shescape/security/advisories/GHSA-44vr-rwwj-p88h\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/ericcornelissen/shescape/pull/322\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/ericcornelissen/shescape/pull/324\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/ericcornelissen/shescape/releases/tag/v1.5.7\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/ericcornelissen/shescape/releases/tag/v1.5.8\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T07:11:39.625Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-31180\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-22T15:37:14.335356Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-22T15:37:15.681Z\"}}], \"cna\": {\"title\": \"Insufficient escaping of whitespace in shescape\", \"source\": {\"advisory\": \"GHSA-44vr-rwwj-p88h\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"ericcornelissen\", \"product\": \"shescape\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e=1.4.0 \u003c 1.5.8\"}]}], \"references\": [{\"url\": \"https://github.com/ericcornelissen/shescape/security/advisories/GHSA-44vr-rwwj-p88h\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/ericcornelissen/shescape/pull/322\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/ericcornelissen/shescape/pull/324\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/ericcornelissen/shescape/releases/tag/v1.5.7\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/ericcornelissen/shescape/releases/tag/v1.5.8\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Shescape is a simple shell escape package for JavaScript. Affected versions were found to have insufficient escaping of white space when interpolating output. This issue only impacts users that use the `escape` or `escapeAll` functions with the `interpolation` option set to `true`. The result is that if an attacker is able to include whitespace in their input they can: 1. Invoke shell-specific behaviour through shell-specific special characters inserted directly after whitespace. 2. Invoke shell-specific behaviour through shell-specific special characters inserted or appearing after line terminating characters. 3. Invoke arbitrary commands by inserting a line feed character. 4. Invoke arbitrary commands by inserting a carriage return character. Behaviour number 1 has been patched in [v1.5.7] which you can upgrade to now. No further changes are required. Behaviour number 2, 3, and 4 have been patched in [v1.5.8] which you can upgrade to now. No further changes are required. The best workaround is to avoid having to use the `interpolation: true` option - in most cases using an alternative is possible, see [the recipes](https://github.com/ericcornelissen/shescape#recipes) for recommendations. Alternatively, users may strip all whitespace from user input. Note that this is error prone, for example: for PowerShell this requires stripping `\u0027\\\\u0085\u0027` which is not included in JavaScript\u0027s definition of `\\\\s` for Regular Expressions.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-74\", \"description\": \"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2022-08-01T19:15:16.000Z\"}, \"x_legacyV4Record\": {\"impact\": {\"cvss\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}, \"source\": {\"advisory\": \"GHSA-44vr-rwwj-p88h\", \"discovery\": \"UNKNOWN\"}, \"affects\": {\"vendor\": {\"vendor_data\": [{\"product\": {\"product_data\": [{\"version\": {\"version_data\": [{\"version_value\": \"\u003e=1.4.0 \u003c 1.5.8\"}]}, \"product_name\": \"shescape\"}]}, \"vendor_name\": \"ericcornelissen\"}]}}, \"data_type\": \"CVE\", \"references\": {\"reference_data\": [{\"url\": \"https://github.com/ericcornelissen/shescape/security/advisories/GHSA-44vr-rwwj-p88h\", \"name\": \"https://github.com/ericcornelissen/shescape/security/advisories/GHSA-44vr-rwwj-p88h\", \"refsource\": \"CONFIRM\"}, {\"url\": \"https://github.com/ericcornelissen/shescape/pull/322\", \"name\": \"https://github.com/ericcornelissen/shescape/pull/322\", \"refsource\": \"MISC\"}, {\"url\": \"https://github.com/ericcornelissen/shescape/pull/324\", \"name\": \"https://github.com/ericcornelissen/shescape/pull/324\", \"refsource\": \"MISC\"}, {\"url\": \"https://github.com/ericcornelissen/shescape/releases/tag/v1.5.7\", \"name\": \"https://github.com/ericcornelissen/shescape/releases/tag/v1.5.7\", \"refsource\": \"MISC\"}, {\"url\": \"https://github.com/ericcornelissen/shescape/releases/tag/v1.5.8\", \"name\": \"https://github.com/ericcornelissen/shescape/releases/tag/v1.5.8\", \"refsource\": \"MISC\"}]}, \"data_format\": \"MITRE\", \"description\": {\"description_data\": [{\"lang\": \"eng\", \"value\": \"Shescape is a simple shell escape package for JavaScript. Affected versions were found to have insufficient escaping of white space when interpolating output. This issue only impacts users that use the `escape` or `escapeAll` functions with the `interpolation` option set to `true`. The result is that if an attacker is able to include whitespace in their input they can: 1. Invoke shell-specific behaviour through shell-specific special characters inserted directly after whitespace. 2. Invoke shell-specific behaviour through shell-specific special characters inserted or appearing after line terminating characters. 3. Invoke arbitrary commands by inserting a line feed character. 4. Invoke arbitrary commands by inserting a carriage return character. Behaviour number 1 has been patched in [v1.5.7] which you can upgrade to now. No further changes are required. Behaviour number 2, 3, and 4 have been patched in [v1.5.8] which you can upgrade to now. No further changes are required. The best workaround is to avoid having to use the `interpolation: true` option - in most cases using an alternative is possible, see [the recipes](https://github.com/ericcornelissen/shescape#recipes) for recommendations. Alternatively, users may strip all whitespace from user input. Note that this is error prone, for example: for PowerShell this requires stripping `\u0027\\\\u0085\u0027` which is not included in JavaScript\u0027s definition of `\\\\s` for Regular Expressions.\"}]}, \"problemtype\": {\"problemtype_data\": [{\"description\": [{\"lang\": \"eng\", \"value\": \"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)\"}]}]}, \"data_version\": \"4.0\", \"CVE_data_meta\": {\"ID\": \"CVE-2022-31180\", \"STATE\": \"PUBLIC\", \"TITLE\": \"Insufficient escaping of whitespace in shescape\", \"ASSIGNER\": \"security-advisories@github.com\"}}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2022-31180\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-04-22T17:46:22.040Z\", \"dateReserved\": \"2022-05-18T00:00:00.000Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2022-08-01T19:15:16.000Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

FKIE_CVE-2022-31180

Vulnerability from fkie_nvd - Published: 2022-08-01 20:15 - Updated: 2024-11-21 07:04

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/ericcornelissen/shescape/pull/322	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/ericcornelissen/shescape/pull/324	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/ericcornelissen/shescape/releases/tag/v1.5.7	Release Notes, Third Party Advisory
security-advisories@github.com	https://github.com/ericcornelissen/shescape/releases/tag/v1.5.8	Release Notes, Third Party Advisory
security-advisories@github.com	https://github.com/ericcornelissen/shescape/security/advisories/GHSA-44vr-rwwj-p88h	Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/ericcornelissen/shescape/pull/322	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/ericcornelissen/shescape/pull/324	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/ericcornelissen/shescape/releases/tag/v1.5.7	Release Notes, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/ericcornelissen/shescape/releases/tag/v1.5.8	Release Notes, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/ericcornelissen/shescape/security/advisories/GHSA-44vr-rwwj-p88h	Exploit, Third Party Advisory

Impacted products

	Vendor	Product	Version
	shescape_project	shescape	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:shescape_project:shescape:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "F0E6F72E-DC24-4C62-95BB-4323DCF5D983",
              "versionEndExcluding": "1.5.8",
              "versionStartIncluding": "1.4.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Shescape is a simple shell escape package for JavaScript. Affected versions were found to have insufficient escaping of white space when interpolating output. This issue only impacts users that use the `escape` or `escapeAll` functions with the `interpolation` option set to `true`. The result is that if an attacker is able to include whitespace in their input they can: 1. Invoke shell-specific behaviour through shell-specific special characters inserted directly after whitespace. 2. Invoke shell-specific behaviour through shell-specific special characters inserted or appearing after line terminating characters. 3. Invoke arbitrary commands by inserting a line feed character. 4. Invoke arbitrary commands by inserting a carriage return character. Behaviour number 1 has been patched in [v1.5.7] which you can upgrade to now. No further changes are required. Behaviour number 2, 3, and 4 have been patched in [v1.5.8] which you can upgrade to now. No further changes are required. The best workaround is to avoid having to use the `interpolation: true` option - in most cases using an alternative is possible, see [the recipes](https://github.com/ericcornelissen/shescape#recipes) for recommendations. Alternatively, users may strip all whitespace from user input. Note that this is error prone, for example: for PowerShell this requires stripping `\u0027\\u0085\u0027` which is not included in JavaScript\u0027s definition of `\\s` for Regular Expressions."
    },
    {
      "lang": "es",
      "value": "Shescape es un paquete de escape de shell simple para JavaScript. Se ha detectado que las versiones afectadas no escapan suficientemente de los espacios en blanco cuando interpolan la salida. Este problema s\u00f3lo afecta a usuarios que usan las funciones \"escape\" o \"escapeAll\" con la opci\u00f3n \"interpolation\" establecida como \"true\". El resultado es que si un atacante es capaz de incluir espacios en blanco en su entrada puede 1. Invocar un comportamiento espec\u00edfico del shell a trav\u00e9s de caracteres especiales espec\u00edficos del shell insertados directamente despu\u00e9s de los espacios en blanco. 2. 2. Invocar el comportamiento espec\u00edfico del shell mediante caracteres especiales espec\u00edficos del shell insertados o que aparecen despu\u00e9s de los caracteres de terminaci\u00f3n de l\u00ednea. 3. Invocar comandos arbitrarios mediante la inserci\u00f3n de un car\u00e1cter de avance de l\u00ednea. 4. Invocar comandos arbitrarios mediante la inserci\u00f3n de un car\u00e1cter de retorno de carro. El comportamiento n\u00famero 1 ha sido parcheado en la [versi\u00f3n v1.5.7] a la que puedes actualizar ahora. No son requeridos m\u00e1s cambios. Los comportamientos n\u00famero 2, 3 y 4 han sido parcheados en la [versi\u00f3n v1.5.8] a la que puede actualizarse ahora. No son requeridos m\u00e1s cambios. La mejor mitigaci\u00f3n es evitar tener que usar la opci\u00f3n \"interpolaci\u00f3n: true\" - en la mayor\u00eda de los casos es posible usar una alternativa, vea [las recetas](https://github.com/ericcornelissen/shescape#recipes) para recomendaciones. Alternativamente, los usuarios pueden eliminar todos los espacios en blanco de la entrada del usuario. Tenga en cuenta que esto es propenso a errores, por ejemplo: para PowerShell esto requiere quitar \"\u0027\\u0085\u0027\" que no est\u00e1 incluido en la definici\u00f3n de JavaScript de \"\\s\" para Expresiones Regulares"
    }
  ],
  "id": "CVE-2022-31180",
  "lastModified": "2024-11-21T07:04:03.977",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-08-01T20:15:08.237",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/ericcornelissen/shescape/pull/322"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/ericcornelissen/shescape/pull/324"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes",
        "Third Party Advisory"
      ],
      "url": "https://github.com/ericcornelissen/shescape/releases/tag/v1.5.7"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes",
        "Third Party Advisory"
      ],
      "url": "https://github.com/ericcornelissen/shescape/releases/tag/v1.5.8"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://github.com/ericcornelissen/shescape/security/advisories/GHSA-44vr-rwwj-p88h"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/ericcornelissen/shescape/pull/322"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/ericcornelissen/shescape/pull/324"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes",
        "Third Party Advisory"
      ],
      "url": "https://github.com/ericcornelissen/shescape/releases/tag/v1.5.7"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes",
        "Third Party Advisory"
      ],
      "url": "https://github.com/ericcornelissen/shescape/releases/tag/v1.5.8"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://github.com/ericcornelissen/shescape/security/advisories/GHSA-44vr-rwwj-p88h"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-74"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-Other"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-44VR-RWWJ-P88H

Vulnerability from github – Published: 2022-07-15 21:46 – Updated: 2022-08-11 22:14

Summary

Shescape vulnerable to insufficient escaping of whitespace

Details

Impact

This only impacts users that use the escape or escapeAll functions with the interpolation option set to true. Example:

import cp from "node:child_process";
import * as shescape from "shescape";

// 1. Prerequisites
const options = {
  shell: "bash",
  // Or
  shell: "dash",
  // Or
  shell: "powershell.exe",
  // Or
  shell: "zsh",
  // Or
  shell: undefined, // Only if the default shell is one of the affected shells.
};

// 2. Attack (one of multiple)
const payload = "foo #bar";

// 3. Usage
let escapedPayload;
shescape.escape(payload, { interpolation: true });
// Or
shescape.escapeAll(payload, { interpolation: true });

cp.execSync(`echo Hello ${escapedPayload}!`, options);
// _Output depends on the shell being used_

The result is that if an attacker is able to include whitespace in their input they can:

Invoke shell-specific behaviour through shell-specific special characters inserted directly after whitespace.
Affected shells: Bash, Dash, Zsh, PowerShell
Invoke shell-specific behaviour through shell-specific special characters inserted or appearing after line terminating characters.
Affected shells: Bash
Invoke arbitrary commands by inserting a line feed character.
Affected Shells: Bash, Dash, Zsh, PowerShell
Invoke arbitrary commands by inserting a carriage return character.
Affected Shells: PowerShell

Patches

Behaviour number 1 has been patched in v1.5.7 which you can upgrade to now. No further changes are required.

Behaviour number 2, 3, and 4 have been patched in v1.5.8 which you can upgrade to now. No further changes are required.

Workarounds

The best workaround is to avoid having to use the interpolation: true option - in most cases using an alternative is possible, see the recipes for recommendations.

Alternatively, you can strip all whitespace from user input. Note that this is error prone, for example: for PowerShell this requires stripping '\u0085' which is not included in JavaScript's definition of \s for Regular Expressions.

References

https://github.com/ericcornelissen/shescape/pull/322
https://github.com/ericcornelissen/shescape/pull/324
https://github.com/ericcornelissen/shescape/pull/332
https://github.com/ericcornelissen/shescape/releases/tag/v1.5.7
https://github.com/ericcornelissen/shescape/releases/tag/v1.5.8

For more information

Comment on:
For behaviour 1 (PowerShell): https://github.com/ericcornelissen/shescape/pull/322
For behaviour 1 (Bash, Dash, Zsh): https://github.com/ericcornelissen/shescape/pull/324
For behaviour 2, 3, 4 (any shell): https://github.com/ericcornelissen/shescape/pull/332
Open an issue at https://github.com/ericcornelissen/shescape/issues (New issue > Question > Get started)
If you're missing CMD from this advisory, see https://github.com/ericcornelissen/shescape/security/advisories/GHSA-jjc5-fp7p-6f8w

Severity ?

9.8 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "shescape"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.4.0"
            },
            {
              "fixed": "1.5.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-31180"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-74"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-15T21:46:08Z",
    "nvd_published_at": "2022-08-01T20:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\n\nThis only impacts users that use the `escape` or `escapeAll` functions with the `interpolation` option set to `true`. Example:\n\n```javascript\nimport cp from \"node:child_process\";\nimport * as shescape from \"shescape\";\n\n// 1. Prerequisites\nconst options = {\n  shell: \"bash\",\n  // Or\n  shell: \"dash\",\n  // Or\n  shell: \"powershell.exe\",\n  // Or\n  shell: \"zsh\",\n  // Or\n  shell: undefined, // Only if the default shell is one of the affected shells.\n};\n\n// 2. Attack (one of multiple)\nconst payload = \"foo #bar\";\n\n// 3. Usage\nlet escapedPayload;\nshescape.escape(payload, { interpolation: true });\n// Or\nshescape.escapeAll(payload, { interpolation: true });\n\ncp.execSync(`echo Hello ${escapedPayload}!`, options);\n// _Output depends on the shell being used_\n```\n\nThe result is that if an attacker is able to include whitespace in their input they can:\n\n1. Invoke shell-specific behaviour through shell-specific special characters inserted directly after whitespace.\n   - Affected shells: _Bash_, _Dash_, _Zsh_, _PowerShell_\n2. Invoke shell-specific behaviour through shell-specific special characters inserted or appearing after line terminating characters. \n   - Affected shells: _Bash_\n3. Invoke arbitrary commands by inserting a line feed character.\n   - Affected Shells: _Bash_, _Dash_, _Zsh_, _PowerShell_\n3. Invoke arbitrary commands by inserting a carriage return character.\n   - Affected Shells: _PowerShell_\n\n### Patches\n\nBehaviour number 1 has been patched in [v1.5.7] which you can upgrade to now. No further changes are required.\n\nBehaviour number 2, 3, and 4 have been patched in [v1.5.8] which you can upgrade to now. No further changes are required.\n\n### Workarounds\n\nThe best workaround is to avoid having to use the `interpolation: true` option - in most cases using an alternative is possible, see [the recipes](https://github.com/ericcornelissen/shescape#recipes) for recommendations.\n\nAlternatively, you can strip all whitespace from user input. Note that this is error prone, for example: for PowerShell this requires stripping `\u0027\\u0085\u0027` which is not included in JavaScript\u0027s definition of `\\s` for Regular Expressions.\n\n### References\n\n- https://github.com/ericcornelissen/shescape/pull/322\n- https://github.com/ericcornelissen/shescape/pull/324\n- https://github.com/ericcornelissen/shescape/pull/332\n- https://github.com/ericcornelissen/shescape/releases/tag/v1.5.7\n- https://github.com/ericcornelissen/shescape/releases/tag/v1.5.8\n\n### For more information\n\n- Comment on:\n  - For behaviour 1 (PowerShell): https://github.com/ericcornelissen/shescape/pull/322\n  - For behaviour 1 (Bash, Dash, Zsh): https://github.com/ericcornelissen/shescape/pull/324\n  - For behaviour 2, 3, 4 (_any shell_): https://github.com/ericcornelissen/shescape/pull/332\n- Open an issue at https://github.com/ericcornelissen/shescape/issues (_New issue_ \u003e _Question_ \u003e _Get started_)\n- If you\u0027re missing CMD from this advisory, see https://github.com/ericcornelissen/shescape/security/advisories/GHSA-jjc5-fp7p-6f8w\n\n[v1.5.7]: https://github.com/ericcornelissen/shescape/releases/tag/v1.5.7\n[v1.5.8]: https://github.com/ericcornelissen/shescape/releases/tag/v1.5.8\n\n",
  "id": "GHSA-44vr-rwwj-p88h",
  "modified": "2022-08-11T22:14:40Z",
  "published": "2022-07-15T21:46:08Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ericcornelissen/shescape/security/advisories/GHSA-44vr-rwwj-p88h"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31180"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ericcornelissen/shescape/pull/322"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ericcornelissen/shescape/pull/324"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ericcornelissen/shescape/pull/332"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ericcornelissen/shescape"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ericcornelissen/shescape/releases/tag/v1.5.7"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ericcornelissen/shescape/releases/tag/v1.5.8"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Shescape vulnerable to insufficient escaping of whitespace"
}

GSD-2022-31180

Vulnerability from gsd - Updated: 2023-12-13 01:19

Details

Aliases

CVE-2022-31180

Aliases

CVE-2022-31180

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-31180",
    "description": "Shescape is a simple shell escape package for JavaScript. Affected versions were found to have insufficient escaping of white space when interpolating output. This issue only impacts users that use the `escape` or `escapeAll` functions with the `interpolation` option set to `true`. The result is that if an attacker is able to include whitespace in their input they can: 1. Invoke shell-specific behaviour through shell-specific special characters inserted directly after whitespace. 2. Invoke shell-specific behaviour through shell-specific special characters inserted or appearing after line terminating characters. 3. Invoke arbitrary commands by inserting a line feed character. 4. Invoke arbitrary commands by inserting a carriage return character. Behaviour number 1 has been patched in [v1.5.7] which you can upgrade to now. No further changes are required. Behaviour number 2, 3, and 4 have been patched in [v1.5.8] which you can upgrade to now. No further changes are required. The best workaround is to avoid having to use the `interpolation: true` option - in most cases using an alternative is possible, see [the recipes](https://github.com/ericcornelissen/shescape#recipes) for recommendations. Alternatively, users may strip all whitespace from user input. Note that this is error prone, for example: for PowerShell this requires stripping `\u0027\\u0085\u0027` which is not included in JavaScript\u0027s definition of `\\s` for Regular Expressions.",
    "id": "GSD-2022-31180"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-31180"
      ],
      "details": "Shescape is a simple shell escape package for JavaScript. Affected versions were found to have insufficient escaping of white space when interpolating output. This issue only impacts users that use the `escape` or `escapeAll` functions with the `interpolation` option set to `true`. The result is that if an attacker is able to include whitespace in their input they can: 1. Invoke shell-specific behaviour through shell-specific special characters inserted directly after whitespace. 2. Invoke shell-specific behaviour through shell-specific special characters inserted or appearing after line terminating characters. 3. Invoke arbitrary commands by inserting a line feed character. 4. Invoke arbitrary commands by inserting a carriage return character. Behaviour number 1 has been patched in [v1.5.7] which you can upgrade to now. No further changes are required. Behaviour number 2, 3, and 4 have been patched in [v1.5.8] which you can upgrade to now. No further changes are required. The best workaround is to avoid having to use the `interpolation: true` option - in most cases using an alternative is possible, see [the recipes](https://github.com/ericcornelissen/shescape#recipes) for recommendations. Alternatively, users may strip all whitespace from user input. Note that this is error prone, for example: for PowerShell this requires stripping `\u0027\\u0085\u0027` which is not included in JavaScript\u0027s definition of `\\s` for Regular Expressions.",
      "id": "GSD-2022-31180",
      "modified": "2023-12-13T01:19:18.348055Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2022-31180",
        "STATE": "PUBLIC",
        "TITLE": "Insufficient escaping of whitespace in shescape"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "shescape",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003e=1.4.0 \u003c 1.5.8"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "ericcornelissen"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Shescape is a simple shell escape package for JavaScript. Affected versions were found to have insufficient escaping of white space when interpolating output. This issue only impacts users that use the `escape` or `escapeAll` functions with the `interpolation` option set to `true`. The result is that if an attacker is able to include whitespace in their input they can: 1. Invoke shell-specific behaviour through shell-specific special characters inserted directly after whitespace. 2. Invoke shell-specific behaviour through shell-specific special characters inserted or appearing after line terminating characters. 3. Invoke arbitrary commands by inserting a line feed character. 4. Invoke arbitrary commands by inserting a carriage return character. Behaviour number 1 has been patched in [v1.5.7] which you can upgrade to now. No further changes are required. Behaviour number 2, 3, and 4 have been patched in [v1.5.8] which you can upgrade to now. No further changes are required. The best workaround is to avoid having to use the `interpolation: true` option - in most cases using an alternative is possible, see [the recipes](https://github.com/ericcornelissen/shescape#recipes) for recommendations. Alternatively, users may strip all whitespace from user input. Note that this is error prone, for example: for PowerShell this requires stripping `\u0027\\u0085\u0027` which is not included in JavaScript\u0027s definition of `\\s` for Regular Expressions."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/ericcornelissen/shescape/security/advisories/GHSA-44vr-rwwj-p88h",
            "refsource": "CONFIRM",
            "url": "https://github.com/ericcornelissen/shescape/security/advisories/GHSA-44vr-rwwj-p88h"
          },
          {
            "name": "https://github.com/ericcornelissen/shescape/pull/322",
            "refsource": "MISC",
            "url": "https://github.com/ericcornelissen/shescape/pull/322"
          },
          {
            "name": "https://github.com/ericcornelissen/shescape/pull/324",
            "refsource": "MISC",
            "url": "https://github.com/ericcornelissen/shescape/pull/324"
          },
          {
            "name": "https://github.com/ericcornelissen/shescape/releases/tag/v1.5.7",
            "refsource": "MISC",
            "url": "https://github.com/ericcornelissen/shescape/releases/tag/v1.5.7"
          },
          {
            "name": "https://github.com/ericcornelissen/shescape/releases/tag/v1.5.8",
            "refsource": "MISC",
            "url": "https://github.com/ericcornelissen/shescape/releases/tag/v1.5.8"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-44vr-rwwj-p88h",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003e=1.4.0 \u003c1.5.8",
          "affected_versions": "All versions starting from 1.4.0 before 1.5.8",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-937"
          ],
          "date": "2023-07-24",
          "description": "Shescape is a simple shell escape package for JavaScript. Affected versions were found to have insufficient escaping of white space when interpolating output. This issue only impacts users that use the `escape` or `escapeAll` functions with the `interpolation` option set to `true`. The result is that if an attacker is able to include whitespace in their input they can: 1. Invoke shell-specific behaviour through shell-specific special characters inserted directly after whitespace. 2. Invoke shell-specific behaviour through shell-specific special characters inserted or appearing after line terminating characters. 3. Invoke arbitrary commands by inserting a line feed character. 4. Invoke arbitrary commands by inserting a carriage return character. Behaviour number 1 has been patched in [v1.5.7] which you can upgrade to now. No further changes are required. Behaviour number 2, 3, and 4 have been patched in [v1.5.8] which you can upgrade to now. No further changes are required. The best workaround is to avoid having to use the `interpolation: true` option - in most cases using an alternative is possible, see [the recipes](https://github.com/ericcornelissen/shescape#recipes) for recommendations. Alternatively, users may strip all whitespace from user input. Note that this is error prone, for example: for PowerShell this requires stripping `\u0027\\u0085\u0027` which is not included in JavaScript\u0027s definition of `\\s` for Regular Expressions.",
          "fixed_versions": [
            "1.5.8"
          ],
          "identifier": "CVE-2022-31180",
          "identifiers": [
            "CVE-2022-31180",
            "GHSA-44vr-rwwj-p88h"
          ],
          "not_impacted": "All versions before 1.4.0, all versions starting from 1.5.8",
          "package_slug": "npm/shescape",
          "pubdate": "2022-08-01",
          "solution": "Upgrade to version 1.5.8 or above.",
          "title": "Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2022-31180",
            "https://github.com/ericcornelissen/shescape/pull/322",
            "https://github.com/ericcornelissen/shescape/releases/tag/v1.5.7",
            "https://github.com/ericcornelissen/shescape/pull/324",
            "https://github.com/ericcornelissen/shescape/releases/tag/v1.5.8",
            "https://github.com/ericcornelissen/shescape/security/advisories/GHSA-44vr-rwwj-p88h"
          ],
          "uuid": "612ef3e2-4343-4f38-889a-13946329984c"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:shescape_project:shescape:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "1.5.8",
                "versionStartIncluding": "1.4.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2022-31180"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Shescape is a simple shell escape package for JavaScript. Affected versions were found to have insufficient escaping of white space when interpolating output. This issue only impacts users that use the `escape` or `escapeAll` functions with the `interpolation` option set to `true`. The result is that if an attacker is able to include whitespace in their input they can: 1. Invoke shell-specific behaviour through shell-specific special characters inserted directly after whitespace. 2. Invoke shell-specific behaviour through shell-specific special characters inserted or appearing after line terminating characters. 3. Invoke arbitrary commands by inserting a line feed character. 4. Invoke arbitrary commands by inserting a carriage return character. Behaviour number 1 has been patched in [v1.5.7] which you can upgrade to now. No further changes are required. Behaviour number 2, 3, and 4 have been patched in [v1.5.8] which you can upgrade to now. No further changes are required. The best workaround is to avoid having to use the `interpolation: true` option - in most cases using an alternative is possible, see [the recipes](https://github.com/ericcornelissen/shescape#recipes) for recommendations. Alternatively, users may strip all whitespace from user input. Note that this is error prone, for example: for PowerShell this requires stripping `\u0027\\u0085\u0027` which is not included in JavaScript\u0027s definition of `\\s` for Regular Expressions."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "NVD-CWE-Other"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/ericcornelissen/shescape/pull/322",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/ericcornelissen/shescape/pull/322"
            },
            {
              "name": "https://github.com/ericcornelissen/shescape/releases/tag/v1.5.7",
              "refsource": "MISC",
              "tags": [
                "Release Notes",
                "Third Party Advisory"
              ],
              "url": "https://github.com/ericcornelissen/shescape/releases/tag/v1.5.7"
            },
            {
              "name": "https://github.com/ericcornelissen/shescape/pull/324",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/ericcornelissen/shescape/pull/324"
            },
            {
              "name": "https://github.com/ericcornelissen/shescape/releases/tag/v1.5.8",
              "refsource": "MISC",
              "tags": [
                "Release Notes",
                "Third Party Advisory"
              ],
              "url": "https://github.com/ericcornelissen/shescape/releases/tag/v1.5.8"
            },
            {
              "name": "https://github.com/ericcornelissen/shescape/security/advisories/GHSA-44vr-rwwj-p88h",
              "refsource": "CONFIRM",
              "tags": [
                "Exploit",
                "Third Party Advisory"
              ],
              "url": "https://github.com/ericcornelissen/shescape/security/advisories/GHSA-44vr-rwwj-p88h"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2023-07-24T13:07Z",
      "publishedDate": "2022-08-01T20:15Z"
    }
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2022-31180 (GCVE-0-2022-31180)

FKIE_CVE-2022-31180

GHSA-44VR-RWWJ-P88H

Impact

Patches

Workarounds

References

For more information

GSD-2022-31180

Tags

Sightings

Nomenclature