GHSA-64g7-mvw6-v9qj – shelljs

Package

Manager: npm
Name: shelljs
Vulnerable Version: >=0 <0.8.5

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L

EPSS: N/A pctlN/A

Details

Improper Privilege Management in shelljs ### Impact Output from the synchronous version of `shell.exec()` may be visible to other users on the same system. You may be affected if you execute `shell.exec()` in multi-user Mac, Linux, or WSL environments, or if you execute `shell.exec()` as the root user. Other shelljs functions (including the asynchronous version of `shell.exec()`) are not impacted. ### Patches Patched in shelljs 0.8.5 ### Workarounds Recommended action is to upgrade to 0.8.5. ### References https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c/ ### For more information If you have any questions or comments about this advisory: * Ask at https://github.com/shelljs/shelljs/issues/1058 * Open an issue at https://github.com/shelljs/shelljs/issues/new

Metadata

Created: 2022-01-14T21:09:50Z
Modified: 2022-01-14T20:50:57Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-64g7-mvw6-v9qj/GHSA-64g7-mvw6-v9qj.json
CWE IDs: ["CWE-269"]
Alternative ID: N/A
Finding: F159
Auto approve: 1