漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
Shescape escape() leaves bracket glob expansion active on Bash, BusyBox, and Dash
Vulnerability Description
Shescape is a simple shell escape library for JavaScript. Prior to 2.1.10, Shescape#escape() does not escape square-bracket glob syntax for Bash, BusyBox sh, and Dash. Applications that interpolate the return value directly into a shell command string can cause an attacker-controlled value like secret[12] to expand into multiple filesystem matches instead of a single literal argument, turning one argument into multiple trusted-pathname matches. This vulnerability is fixed in 2.1.10.
CVSS Information
N/A
Vulnerability Type
信息暴露
Vulnerability Title
Shescape 信息泄露漏洞
Vulnerability Description
Shescape是Eric Cornelissen个人开发者的一个用于 JavaScript 的简单外壳转义程序包。 Shescape 2.1.10之前版本存在信息泄露漏洞,该漏洞源于未转义方括号通配符语法,可能导致攻击者控制的参数扩展为多个文件系统匹配项。
CVSS Information
N/A
Vulnerability Type
N/A