CVE-2022-31179

Insufficient escaping of line feeds for CMD in shescape

Severity Score

9.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Shescape is a simple shell escape package for JavaScript. Versions prior to 1.5.8 were found to be subject to code injection on windows. This impacts users that use Shescape (any API function) to escape arguments for cmd.exe on Windows An attacker can omit all arguments following their input by including a line feed character (`'
'`) in the payload. This bug has been patched in [v1.5.8] which you can upgrade to now. No further changes are required. Alternatively, line feed characters (`'
'`) can be stripped out manually or the user input can be made the last argument (this only limits the impact).

Shescape es un sencillo paquete de escape de shell para JavaScript. Las versiones anteriores a 1.5.8, fueron encontradas sujetas a inyección de código en Windows. Esto afecta a usuarios que usan Shescape (cualquier función de la API) para escapar de los argumentos de cmd.exe en Windows Un atacante puede omitir todos los argumentos que siguen a su entrada mediante la inclusión de un carácter de avance de línea (""
"") en la carga útil. Este error ha sido parcheado en la [v1.5.8], a la que puede actualizar ahora. No es necesario realizar más cambios. Alternativamente, los caracteres de avance de línea (""
"") pueden ser eliminados manualmente o la entrada del usuario puede convertirse en el último argumento (esto sólo limita el impacto)

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-05-18 CVE Reserved
2022-08-01 CVE Published
2024-08-03 CVE Updated
2024-08-03 First Exploit
2024-10-23 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CAPEC

References (3)

URL	Tag	Source
https://github.com/ericcornelissen/shescape/releases/tag/v1.5.8	Release Notes

URL	Date	SRC
https://github.com/ericcornelissen/shescape/security/advisories/GHSA-jjc5-fp7p-6f8w	2024-08-03

URL	Date	SRC
https://github.com/ericcornelissen/shescape/pull/332	2022-08-09

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Shescape Project Search vendor "Shescape Project"	Shescape Search vendor "Shescape Project" for product "Shescape"	< 1.5.8 Search vendor "Shescape Project" for product "Shescape" and version " < 1.5.8"	-	Affected	in	Microsoft Search vendor "Microsoft"	Windows Search vendor "Microsoft" for product "Windows"	-	-	Safe