Main Vulnerability Database Vulnerabilities #VU67516

#VU67516 Command Injection in Shell-quote - CVE-2021-42740

Published: September 20, 2022

Vulnerability identifier: #VU67516

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2021-42740

CWE-ID: CWE-77

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Shell-quote

Software vendor:
substack

Description

The vulnerability allows a remote attacker to execute arbitrary commands on the system.

The vulnerability exists due to improper input validation in the regex designed to support Windows drive letters before passing it into the exec() call. A remote attacker can pass specially crafted payload to the application and execute arbitrary code on the system.

Remediation

Install updates from vendor's website.

External links

https://github.com/substack/node-shell-quote/commit/5799416ed454aa4ec9afafc895b4e31760ea1abe
https://www.npmjs.com/package/shell-quote
https://github.com/substack/node-shell-quote/blob/master/CHANGELOG.md#173

#VU67516 Command Injection in Shell-quote - CVE-2021-42740

Description

Remediation

External links

Please verify you're human