漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
Exposure of home directory through shescape on Unix with Bash
Vulnerability Description
Shescape is a shell escape package for JavaScript. An issue in versions 1.4.0 to 1.5.1 allows for exposure of the home directory on Unix systems when using Bash with the `escape` or `escapeAll` functions from the _shescape_ API with the `interpolation` option set to `true`. Other tested shells, Dash and Zsh, are not affected. Depending on how the output of _shescape_ is used, directory traversal may be possible in the application using _shescape_. The issue was patched in version 1.5.1. As a workaround, manually escape all instances of the tilde character (`~`) using `arg.replace(/~/g, "\\~")`.
CVSS Information
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Vulnerability Type
信息暴露
Vulnerability Title
Shescape 操作系统命令注入漏洞
Vulnerability Description
Shescape是开源的一个用于JavaScript的简单外壳转义程序包。使用它可以将用户控制的输入转义给shell命令,以防止shell注入。 Shescape 1.4.0到1.5.1版本存在操作系统命令注入漏洞,该漏洞源于使用Bash和shescape API中的 escape 或 escapeAll 函数并将 interpolation 选项设为 true 时,Unix系统上的主目录会被暴露。攻击者可以在使用shescape的应用程序中进行目录遍历。
CVSS Information
N/A
Vulnerability Type
N/A