You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command with exec(), an attacker can inject arbitrary commands. This is because the Windows drive letter regex character class is {A-z] instead of the correct {A-Za-z]. Several shell metacharacters exist in the space between capital letter Z and lower case letter a, such as the backtick character.
mend-for-github-combot
changed the title
serverless-python-requirements-5.1.0.tgz: 3 vulnerabilities (highest severity is: 9.8)
serverless-python-requirements-5.1.0.tgz: 1 vulnerabilities (highest severity is: 9.8)
Mar 4, 2024
Vulnerable Library - serverless-python-requirements-5.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/shell-quote/package.json
Found in HEAD commit: becc85ab1b5f059a9b9ba629c0734b3199a5d00a
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2021-42740
Vulnerable Library - shell-quote-1.7.2.tgz
quote and parse shell commands
Library home page: https://registry.npmjs.org/shell-quote/-/shell-quote-1.7.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/shell-quote/package.json
Dependency Hierarchy:
Found in HEAD commit: becc85ab1b5f059a9b9ba629c0734b3199a5d00a
Found in base branch: main
Vulnerability Details
The shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command with exec(), an attacker can inject arbitrary commands. This is because the Windows drive letter regex character class is {A-z] instead of the correct {A-Za-z]. Several shell metacharacters exist in the space between capital letter Z and lower case letter a, such as the backtick character.
Publish Date: 2021-10-21
URL: CVE-2021-42740
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42740
Release Date: 2021-10-21
Fix Resolution (shell-quote): 1.7.3
Direct dependency fix Resolution (serverless-python-requirements): 5.1.1
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
The text was updated successfully, but these errors were encountered: