Vulnerabilities
Projects
Vulnerability Disclosure
About Us
Contact Us
Mend.io Vulnerability Database
What is a WS vulnerability ID?
What is an MSC vulnerability ID?
We found results for “”
CVE-2021-42740
Good to know:
Date: October 21, 2021
The shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command with exec(), an attacker can inject arbitrary commands. This is because the Windows drive letter regex character class is {A-z] instead of the correct {A-Za-z]. Several shell metacharacters exist in the space between capital letter Z and lower case letter a, such as the backtick character.
Language: JS
Severity Score
Related Resources (8)
Severity Score
Weakness Type (CWE)
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE-77Top Fix
Upgrade Version
Upgrade to version richardtmiles/carbonphp - dev-always_send_request_body;richardtmiles/carbonphp - dev-dependabot/npm_and_yarn/view/assets/react/terser-4.8.1;richardtmiles/carbonphp - dev-RestUpdate_PrimaryKeyValidation;richardtmiles/carbonphp - dev-feature/serialized_db_fix;richardtmiles/carbonphp - dev-dependabot/npm_and_yarn/crypto-js-4.2.0;richardtmiles/carbonphp - 5.0.0;richardtmiles/carbonphp - 1.0.1;scancode/portal-module - v1.0.12;scancode/portal-module - dev-dependabot/npm_and_yarn/Resources/assets/coreui/path-parse-1.0.7;scancode/portal-module - dev-dependabot/npm_and_yarn/Resources/assets/coreui/decode-uri-component-0.2.2;elegantweb/laravel-admin - dev-dependabot/npm_and_yarn/public/components/admin-lte/datatables.net-1.10.22;elegantweb/laravel-admin - v2.0.3;elegantweb/laravel-admin - no_fix;elegantweb/laravel-admin - 1.0.0;elegantweb/laravel-admin - v1.0.2;elegantweb/laravel-admin - v1.1.2;elegantweb/laravel-admin - dev-dependabot/npm_and_yarn/public/components/admin-lte/ini-1.3.8;elegantweb/laravel-admin - dev-dependabot/npm_and_yarn/public/components/browserify-zlib/tar-2.2.2;OctoWeb01 - no_fix;NewPlatform.Flexberry.Designer.EmberCache - no_fix;computerundsound/curserver - no_fix;computerundsound/curserver - 2.2.0;Bower - no_fix;asuwebplatforms/webspark-module-webspark_isearch - dev-WS2-708;asuwebplatforms/webspark-module-webspark_isearch - dev-WS2-298;VueJS.NetCore - 1.1.1;carbonorm/carbonphp - dev-dependabot/npm_and_yarn/crypto-js-4.2.0;carbonorm/carbonphp - 5.0.0;humanmade/workflows - 0.4.8-rc.1;humanmade/workflows - dev-master;platformatory/opendevx - no_fix;Ncapsulate.Bower - no_fix;shell-quote - 1.7.3;Indianadavy.VueJsWebAPITemplate.CSharp - 1.0.1;websix/templater - 0.0.1;websix/templater - no_fix;efecanaltay/hello-world - no_fix;contentasaurus/c-rex-admin - v1.0.7;contentasaurus/c-rex-admin - v1.0.1;MIDIator.WebClient - 1.0.105;dreamfactory/df-api-docs-ui - 1.1.0;yivic/yivic-elce - no_fix;org.webjars.npm:bower:1.8.12;org.webjars.npm:shell-quote:1.7.4;org.webjars.bower:jsonpath-object-transform:no_fix
CVSS v3.1
| Base Score: |
|
|---|---|
| Attack Vector (AV): | NETWORK |
| Attack Complexity (AC): | LOW |
| Privileges Required (PR): | NONE |
| User Interaction (UI): | NONE |
| Scope (S): | UNCHANGED |
| Confidentiality (C): | HIGH |
| Integrity (I): | HIGH |
| Availability (A): | HIGH |
CVSS v2
| Base Score: |
|
|---|---|
| Access Vector (AV): | NETWORK |
| Access Complexity (AC): | LOW |
| Authentication (AU): | NONE |
| Confidentiality (C): | PARTIAL |
| Integrity (I): | PARTIAL |
| Availability (A): | PARTIAL |
| Additional information: |