CVE-2022-24725

Exposure of home directory through shescape on Unix with Bash

Severity Score

5.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Shescape is a shell escape package for JavaScript. An issue in versions 1.4.0 to 1.5.1 allows for exposure of the home directory on Unix systems when using Bash with the `escape` or `escapeAll` functions from the _shescape_ API with the `interpolation` option set to `true`. Other tested shells, Dash and Zsh, are not affected. Depending on how the output of _shescape_ is used, directory traversal may be possible in the application using _shescape_. The issue was patched in version 1.5.1. As a workaround, manually escape all instances of the tilde character (`~`) using `arg.replace(/~/g, "\\~")`.

Shescape es un paquete de escape de shell para JavaScript. Un problema en las versiones 1.4.0 a 1.5.1 permite una exposición del directorio de inicio en los sistemas Unix cuando es usada Bash con las funciones "escape" o "escapeAll' de la API _shescape_ con la opción "interpolation" establecida en "true". Otros shells probados, Dash y Zsh, no están afectados. Dependiendo de cómo es usada la salida de _shescape_, puede ser posible un salto de directorio en la aplicación que usa _shescape_. El problema fue parcheado en la versión 1.5.1. Como medida de mitigación, escape manualmente todas las instancias del carácter tilde ("~") usando "arg.replace(/~/g, "\~~")`

*Credits: N/A

CVSS Scores

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Local

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-02-10 CVE Reserved
2022-03-03 CVE Published
2024-08-03 CVE Updated
2024-08-03 First Exploit
2024-11-03 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

CAPEC

References (3)

URL	Tag	Source

URL	Date	SRC
https://github.com/ericcornelissen/shescape/issues/169	2024-08-03
https://github.com/ericcornelissen/shescape/security/advisories/GHSA-446w-rrm4-r47f	2024-08-03

URL	Date	SRC
https://github.com/ericcornelissen/shescape/pull/170	2023-06-23

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Shescape Project Search vendor "Shescape Project"		Shescape Search vendor "Shescape Project" for product "Shescape"				>= 1.4.0 < 1.5.1 Search vendor "Shescape Project" for product "Shescape" and version " >= 1.4.0 < 1.5.1"		node.js		Affected