CVE-2021-42740
Summary
| CVE | CVE-2021-42740 |
|---|
| State | PUBLIC |
|---|
| Assigner | [email protected] |
|---|
| Source Priority | CVE Program / NVD first with legacy fallback |
|---|
| Published | 2021-10-21 15:15:00 UTC |
|---|
| Updated | 2021-10-28 13:54:00 UTC |
|---|
| Description | The shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command with exec(), an attacker can inject arbitrary commands. This is because the Windows drive letter regex character class is {A-z] instead of the correct {A-Za-z]. Several shell metacharacters exist in the space between capital letter Z and lower case letter a, such as the backtick character. |
|---|
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|
| fix for security issue with windows drive letter regex · substack/node-shell-quote@5799416 · GitHub |
CONFIRM |
github.com |
|
| shell-quote - npm |
MISC |
www.npmjs.com |
|
| node-shell-quote/CHANGELOG.md at master · substack/node-shell-quote · GitHub |
CONFIRM |
github.com |
|
| CVE Program record |
CVE.ORG |
www.cve.org |
canonical |
| NVD vulnerability detail |
NVD |
nvd.nist.gov |
canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 184433 Debian Security Update for node-shell-quote (CVE-2021-42740)
- 905099 Common Base Linux Mariner (CBL-Mariner) Security Update for reaper (12619)
