CVE-2022-36064

Shescape is a shell escape package for JavaScript. An Inefficient Regular Expression Complexity vulnerability impacts users that use Shescape to escape arguments for the Unix shells `Bash` and `Dash`, or any not-officially-supported Unix shell; and/or using the `escape` or `escapeAll` functions with the `interpolation` option set to `true`. An attacker can cause polynomial backtracking or quadratic runtime in terms of the input string length due to two Regular Expressions in Shescape that are vulnerable to Regular Expression Denial of Service (ReDoS). This bug has been patched in v1.5.10. For `Dash` only, this bug has been patched since v1.5.9. As a workaround, a maximum length can be enforced on input strings to Shescape to reduce the impact of the vulnerability. It is not recommended to try and detect vulnerable input strings, as the logic for this may end up being vulnerable to ReDoS itself.

CVSS v3.0 7.5 HIGH

7.5^/10

CVSS v3.0 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/ericcornelissen/shescape/releases/tag/v1.5.10	Release Notes Third Party Advisory
https://github.com/ericcornelissen/shescape/security/advisories/GHSA-gp75-h7j6-5pv3	Exploit Issue Tracking Mitigation Third Party Advisory
https://github.com/ericcornelissen/shescape/pull/373	Issue Tracking Patch Third Party Advisory

Advertisement

Configurations

Configuration 1 (hide)

cpe:2.3:a:shescape_project:shescape:*:*:*:*:*:node.js:*:*

Information

Published : 2022-09-06 14:15

Updated : 2022-09-09 12:28

NVD link : CVE-2022-36064

Mitre link : CVE-2022-36064

JSON object : View

CWE

CWE-1333

Inefficient Regular Expression Complexity

CWE-400

Uncontrolled Resource Consumption

Advertisement

Products Affected

shescape_project

shescape

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://github.com/ericcornelissen/shescape/releases/tag/v1.5.10", "name": "https://github.com/ericcornelissen/shescape/releases/tag/v1.5.10", "tags": ["Release Notes", "Third Party Advisory"], "refsource": "MISC"}, {"url": "https://github.com/ericcornelissen/shescape/security/advisories/GHSA-gp75-h7j6-5pv3", "name": "https://github.com/ericcornelissen/shescape/security/advisories/GHSA-gp75-h7j6-5pv3", "tags": ["Exploit", "Issue Tracking", "Mitigation", "Third Party Advisory"], "refsource": "CONFIRM"}, {"url": "https://github.com/ericcornelissen/shescape/pull/373", "name": "https://github.com/ericcornelissen/shescape/pull/373", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Shescape is a shell escape package for JavaScript. An Inefficient Regular Expression Complexity vulnerability impacts users that use Shescape to escape arguments for the Unix shells `Bash` and `Dash`, or any not-officially-supported Unix shell; and/or using the `escape` or `escapeAll` functions with the `interpolation` option set to `true`. An attacker can cause polynomial backtracking or quadratic runtime in terms of the input string length due to two Regular Expressions in Shescape that are vulnerable to Regular Expression Denial of Service (ReDoS). This bug has been patched in v1.5.10. For `Dash` only, this bug has been patched since v1.5.9. As a workaround, a maximum length can be enforced on input strings to Shescape to reduce the impact of the vulnerability. It is not recommended to try and detect vulnerable input strings, as the logic for this may end up being vulnerable to ReDoS itself."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-400"}, {"lang": "en", "value": "CWE-1333"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2022-36064", "ASSIGNER": "security-advisories@github.com"}}, "impact": {"baseMetricV3": {"cvssV3": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}}, "publishedDate": "2022-09-06T21:15Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:shescape_project:shescape:*:*:*:*:*:node.js:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "1.5.10", "versionStartIncluding": "1.5.1"}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2022-09-09T19:28Z"}