{"containers": {"cna": {"affected": [{"product": "shescape", "vendor": "ericcornelissen", "versions": [{"status": "affected", "version": "< 1.1.3"}]}], "descriptions": [{"lang": "en", "value": "shescape is a simple shell escape package for JavaScript. In shescape before version 1.1.3, anyone using _Shescape_ to defend against shell injection may still be vulnerable against shell injection if the attacker manages to insert a into the payload. For an example see the referenced GitHub Security Advisory. The problem has been patched in version 1.1.3. No further changes are required."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-88", "description": "CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-03-18T23:50:13", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ericcornelissen/shescape/security/advisories/GHSA-f2rp-38vg-j3gh"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/ericcornelissen/shescape/commit/07a069a66423809cbedd61d980c11ca44a29ea2b"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/ericcornelissen/shescape/releases/tag/v1.1.3"}, {"tags": ["x_refsource_MISC"], "url": "https://www.npmjs.com/package/shescape"}], "source": {"advisory": "GHSA-f2rp-38vg-j3gh", "discovery": "UNKNOWN"}, "title": "Null characters not escaped in shescape", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-21384", "STATE": "PUBLIC", "TITLE": "Null characters not escaped in shescape"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "shescape", "version": {"version_data": [{"version_value": "< 1.1.3"}]}}]}, "vendor_name": "ericcornelissen"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "shescape is a simple shell escape package for JavaScript. In shescape before version 1.1.3, anyone using _Shescape_ to defend against shell injection may still be vulnerable against shell injection if the attacker manages to insert a into the payload. For an example see the referenced GitHub Security Advisory. The problem has been patched in version 1.1.3. No further changes are required."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')"}]}]}, "references": {"reference_data": [{"name": "https://github.com/ericcornelissen/shescape/security/advisories/GHSA-f2rp-38vg-j3gh", "refsource": "CONFIRM", "url": "https://github.com/ericcornelissen/shescape/security/advisories/GHSA-f2rp-38vg-j3gh"}, {"name": "https://github.com/ericcornelissen/shescape/commit/07a069a66423809cbedd61d980c11ca44a29ea2b", "refsource": "MISC", "url": "https://github.com/ericcornelissen/shescape/commit/07a069a66423809cbedd61d980c11ca44a29ea2b"}, {"name": "https://github.com/ericcornelissen/shescape/releases/tag/v1.1.3", "refsource": "MISC", "url": "https://github.com/ericcornelissen/shescape/releases/tag/v1.1.3"}, {"name": "https://www.npmjs.com/package/shescape", "refsource": "MISC", "url": "https://www.npmjs.com/package/shescape"}]}, "source": {"advisory": "GHSA-f2rp-38vg-j3gh", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T18:09:15.790Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/ericcornelissen/shescape/security/advisories/GHSA-f2rp-38vg-j3gh"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/ericcornelissen/shescape/commit/07a069a66423809cbedd61d980c11ca44a29ea2b"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/ericcornelissen/shescape/releases/tag/v1.1.3"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.npmjs.com/package/shescape"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-21384", "datePublished": "2021-03-18T23:50:13", "dateReserved": "2020-12-22T00:00:00", "dateUpdated": "2024-08-03T18:09:15.790Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:shescape_project:shescape:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "C88DEA52-C298-4E68-AA29-00122DE84930", "versionEndExcluding": "1.1.3", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA", "vulnerable": false}, {"criteria": "cpe:2.3:o:opengroup:unix:-:*:*:*:*:*:*:*", "matchCriteriaId": "6A90CB3A-9BE7-475C-9E75-6ECAD2106302", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "shescape is a simple shell escape package for JavaScript. In shescape before version 1.1.3, anyone using _Shescape_ to defend against shell injection may still be vulnerable against shell injection if the attacker manages to insert a into the payload. For an example see the referenced GitHub Security Advisory. The problem has been patched in version 1.1.3. No further changes are required."}, {"lang": "es", "value": "shescape es un paquete de escape de shell simple para JavaScript. En shescape versiones anteriores a 1.1.3, cualquiera que use _Shescape_ para defenderse de la inyecci\u00f3n de shell puede ser vulnerable frente a una inyecci\u00f3n shell si el atacante logra insertar en la carga \u00fatil. Para visualizar un ejemplo, consulte el Aviso de Seguridad de GitHub al que se hace referencia. El problema ha sido solucionado en la versi\u00f3n 1.1.3. No son requeridos m\u00e1s cambios"}], "id": "CVE-2021-21384", "lastModified": "2024-11-21T05:48:14.847", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-03-19T00:15:11.793", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/ericcornelissen/shescape/commit/07a069a66423809cbedd61d980c11ca44a29ea2b"}, {"source": "security-advisories@github.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/ericcornelissen/shescape/releases/tag/v1.1.3"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/ericcornelissen/shescape/security/advisories/GHSA-f2rp-38vg-j3gh"}, {"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://www.npmjs.com/package/shescape"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/ericcornelissen/shescape/commit/07a069a66423809cbedd61d980c11ca44a29ea2b"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/ericcornelissen/shescape/releases/tag/v1.1.3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/ericcornelissen/shescape/security/advisories/GHSA-f2rp-38vg-j3gh"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://www.npmjs.com/package/shescape"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-88"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}