Vulnerability Details : CVE-2023-35931
Potential exploit
Shescape is a simple shell escape library for JavaScript. An attacker may be able to get read-only access to environment variables. This bug has been patched in version 1.7.1.
Products affected by CVE-2023-35931
- cpe:2.3:a:shescape_project:shescape:*:*:*:*:*:node.js:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-35931
0.26%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 49 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-35931
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
4.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
2.8
|
1.4
|
NIST | |
|
3.1
|
LOW | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N |
1.6
|
1.4
|
GitHub, Inc. |
CWE ids for CVE-2023-35931
-
The product uses an environment variable to store unencrypted sensitive information.Assigned by: security-advisories@github.com (Primary)
References for CVE-2023-35931
-
https://github.com/ericcornelissen/shescape/pull/982
Test coverage for environment variables by ericcornelissen · Pull Request #982 · ericcornelissen/shescape · GitHubPatch
-
https://github.com/ericcornelissen/shescape/commit/d0fce70f987ac0d8331f93cb45d47e79436173ac
Test coverage for environment variables (#982) · ericcornelissen/shescape@d0fce70 · GitHubPatch
-
https://github.com/ericcornelissen/shescape/security/advisories/GHSA-3g7p-8qhx-mc8r
Potential environment variable exposure on Windows with CMD · Advisory · ericcornelissen/shescape · GitHubExploit;Vendor Advisory
-
https://github.com/ericcornelissen/shescape/releases/tag/v1.7.1
Release Release v1.7.1 · ericcornelissen/shescape · GitHubRelease Notes
Jump to