Vulnerability Details : CVE-2021-21384
shescape is a simple shell escape package for JavaScript. In shescape before version 1.1.3, anyone using _Shescape_ to defend against shell injection may still be vulnerable against shell injection if the attacker manages to insert a into the payload. For an example see the referenced GitHub Security Advisory. The problem has been patched in version 1.1.3. No further changes are required.
Exploit prediction scoring system (EPSS) score for CVE-2021-21384
Probability of exploitation activity in the next 30 days: 0.08%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 33 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2021-21384
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
4.6
|
MEDIUM | AV:L/AC:L/Au:N/C:P/I:P/A:P |
3.9
|
6.4
|
NIST |
7.8
|
HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
1.8
|
5.9
|
NIST |
6.3
|
MEDIUM | CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:N |
1.0
|
4.7
|
GitHub, Inc. |
CWE ids for CVE-2021-21384
-
The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.Assigned by: security-advisories@github.com (Primary)
References for CVE-2021-21384
-
https://www.npmjs.com/package/shescape
shescape - npmProduct
-
https://github.com/ericcornelissen/shescape/security/advisories/GHSA-f2rp-38vg-j3gh
Null characters not escaped · Advisory · ericcornelissen/shescape · GitHubExploit;Third Party Advisory
-
https://github.com/ericcornelissen/shescape/commit/07a069a66423809cbedd61d980c11ca44a29ea2b
Strip null characters from arguments · ericcornelissen/shescape@07a069a · GitHubPatch;Third Party Advisory
-
https://github.com/ericcornelissen/shescape/releases/tag/v1.1.3
Release Release v1.1.3 · ericcornelissen/shescape · GitHubRelease Notes;Third Party Advisory
Products affected by CVE-2021-21384
- cpe:2.3:a:shescape_project:shescape:*:*:*:*:*:node.js:*:*