#VU67516 Command Injection in Shell-quote


Published: 2022-09-20

Vulnerability identifier: #VU67516

Vulnerability risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-42740

CWE-ID: CWE-77

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Shell-quote
/

Vendor: substack

Description

The vulnerability allows a remote attacker to execute arbitrary commands on the system.

The vulnerability exists due to improper input validation in the regex designed to support Windows drive letters before passing it into the exec() call. A remote attacker can pass specially crafted payload to the application and execute arbitrary code on the system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Shell-quote: 0.0.0 - 1.7.2

External links
http://github.com/substack/node-shell-quote/commit/5799416ed454aa4ec9afafc895b4e31760ea1abe
http://www.npmjs.com/package/shell-quote
http://github.com/substack/node-shell-quote/blob/master/CHANGELOG.md#173

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM MobileFirst Platform Foundation
SUSE update for SUSE Manager 4.2.11
Multiple vulnerabilities in IBM QRadar User Behavior Analytics
Multiple vulnerabilities in IBM Data Virtualization on Cloud Pak for Data
Command Injection in IBM Edge Application Manager
Multiple vulnerabilities in IBM Cloud Pak for Security (CP4S)
Command injection in IBM Cloud Pak for Multicloud Management Managed Services
SUSE update for SUSE Manager Proxy 4.3
SUSE update for SUSE Manager Server 4.2
SUSE update for release-notes-susemanager, release-notes-susemanager-proxy