Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
glob CLI: Command injection via -c/--cmd executes matches with shell:true
Vulnerability Description
Glob matches files using patterns the shell uses. Starting in version 10.2.0 and prior to versions 10.5.0 and 11.1.0, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c <command> <patterns> are used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges. This issue has been patched in versions 10.5.0 and 11.1.0.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Vulnerability Type
OS命令中使用的特殊元素转义处理不恰当(OS命令注入)
Vulnerability Title
Glob 操作系统命令注入漏洞
Vulnerability Description
Glob是isaacs个人开发者的一个文件匹配软件。 Glob 10.3.7版本至11.0.3版本存在操作系统命令注入漏洞,该漏洞源于命令注入,可能导致任意代码执行。
CVSS Information
N/A
Vulnerability Type
N/A