CVE-2021-21384
6.3
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:N
Summary
shescape is a simple shell escape package for JavaScript. In shescape before version 1.1.3, anyone using Shescape to defend against shell injection may still be vulnerable against shell injection if the attacker manages to insert a into the payload. For an example see the referenced GitHub Security Advisory. The problem has been patched in version 1.1.3. No further changes are required.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| ericcornelissen | shescape | < 1.1.3 | affected |
Weaknesses
- CWE-88: CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/ericcornelissen/shescape/security/advisories/GHSA-f2rp-38vg-j3gh
- https://github.com/ericcornelissen/shescape/commit/07a069a66423809cbedd61d980c11ca44a29ea2b
- https://github.com/ericcornelissen/shescape/releases/tag/v1.1.3
- https://www.npmjs.com/package/shescape
References
- https://github.com/ericcornelissen/shescape/security/advisories/GHSA-f2rp-38vg-j3gh
- https://github.com/ericcornelissen/shescape/commit/07a069a66423809cbedd61d980c11ca44a29ea2b
- https://github.com/ericcornelissen/shescape/releases/tag/v1.1.3
- https://www.npmjs.com/package/shescape
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.