shescape is simple shell escape library for JavaScript. This may impact users that use Shescape on Windows in a threaded context. The vulnerability can result in Shescape escaping (or quoting) for the wrong shell, thus allowing attackers to bypass protections depending on the combination of expected and used shell. This bug has been patched in version 1.7.4.
References
Link | Resource |
---|---|
https://github.com/ericcornelissen/shescape/commit/0b976dab645abf45ffd85e74a8c6e51ee2f42d63 | Patch |
https://github.com/ericcornelissen/shescape/pull/1142 | Patch |
https://github.com/ericcornelissen/shescape/releases/tag/v1.7.4 | Release Notes |
https://github.com/ericcornelissen/shescape/security/advisories/GHSA-j55r-787p-m549 | Exploit Patch Vendor Advisory |
Configurations
Configuration 1 (hide)
AND |
|
History
01 Sep 2023, 18:02
Type | Values Removed | Values Added |
---|---|---|
First Time |
Shescape Project
Microsoft Shescape Project shescape Microsoft windows |
|
CPE | cpe:2.3:a:shescape_project:shescape:*:*:*:*:*:node.js:*:* cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:* |
|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 8.6 |
References | (MISC) https://github.com/ericcornelissen/shescape/releases/tag/v1.7.4 - Release Notes | |
References | (MISC) https://github.com/ericcornelissen/shescape/security/advisories/GHSA-j55r-787p-m549 - Exploit, Patch, Vendor Advisory | |
References | (MISC) https://github.com/ericcornelissen/shescape/commit/0b976dab645abf45ffd85e74a8c6e51ee2f42d63 - Patch | |
References | (MISC) https://github.com/ericcornelissen/shescape/pull/1142 - Patch |
23 Aug 2023, 21:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-08-23 21:15
Updated : 2024-02-28 20:33
NVD link : CVE-2023-40185
Mitre link : CVE-2023-40185
CVE.ORG link : CVE-2023-40185
JSON object : View
Products Affected
shescape_project
- shescape
microsoft
- windows
CWE
CWE-150
Improper Neutralization of Escape, Meta, or Control Sequences