{"containers": {"cna": {"affected": [{"product": "shescape", "vendor": "ericcornelissen", "versions": [{"status": "affected", "version": ">= 1.5.1, < 1.5.10"}]}], "descriptions": [{"lang": "en", "value": "Shescape is a shell escape package for JavaScript. An Inefficient Regular Expression Complexity vulnerability impacts users that use Shescape to escape arguments for the Unix shells `Bash` and `Dash`, or any not-officially-supported Unix shell; and/or using the `escape` or `escapeAll` functions with the `interpolation` option set to `true`. An attacker can cause polynomial backtracking or quadratic runtime in terms of the input string length due to two Regular Expressions in Shescape that are vulnerable to Regular Expression Denial of Service (ReDoS). This bug has been patched in v1.5.10. For `Dash` only, this bug has been patched since v1.5.9. As a workaround, a maximum length can be enforced on input strings to Shescape to reduce the impact of the vulnerability. It is not recommended to try and detect vulnerable input strings, as the logic for this may end up being vulnerable to ReDoS itself."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-1333", "description": "CWE-1333: Inefficient Regular Expression Complexity", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-400", "description": "CWE-400: Uncontrolled Resource Consumption", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-09-06T20:55:10", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ericcornelissen/shescape/security/advisories/GHSA-gp75-h7j6-5pv3"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/ericcornelissen/shescape/pull/373"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/ericcornelissen/shescape/releases/tag/v1.5.10"}], "source": {"advisory": "GHSA-gp75-h7j6-5pv3", "discovery": "UNKNOWN"}, "title": "Shescape Inefficient Regular Expression Complexity vulnerability", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-36064", "STATE": "PUBLIC", "TITLE": "Shescape Inefficient Regular Expression Complexity vulnerability"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "shescape", "version": {"version_data": [{"version_value": ">= 1.5.1, < 1.5.10"}]}}]}, "vendor_name": "ericcornelissen"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Shescape is a shell escape package for JavaScript. An Inefficient Regular Expression Complexity vulnerability impacts users that use Shescape to escape arguments for the Unix shells `Bash` and `Dash`, or any not-officially-supported Unix shell; and/or using the `escape` or `escapeAll` functions with the `interpolation` option set to `true`. An attacker can cause polynomial backtracking or quadratic runtime in terms of the input string length due to two Regular Expressions in Shescape that are vulnerable to Regular Expression Denial of Service (ReDoS). This bug has been patched in v1.5.10. For `Dash` only, this bug has been patched since v1.5.9. As a workaround, a maximum length can be enforced on input strings to Shescape to reduce the impact of the vulnerability. It is not recommended to try and detect vulnerable input strings, as the logic for this may end up being vulnerable to ReDoS itself."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-1333: Inefficient Regular Expression Complexity"}]}, {"description": [{"lang": "eng", "value": "CWE-400: Uncontrolled Resource Consumption"}]}]}, "references": {"reference_data": [{"name": "https://github.com/ericcornelissen/shescape/security/advisories/GHSA-gp75-h7j6-5pv3", "refsource": "CONFIRM", "url": "https://github.com/ericcornelissen/shescape/security/advisories/GHSA-gp75-h7j6-5pv3"}, {"name": "https://github.com/ericcornelissen/shescape/pull/373", "refsource": "MISC", "url": "https://github.com/ericcornelissen/shescape/pull/373"}, {"name": "https://github.com/ericcornelissen/shescape/releases/tag/v1.5.10", "refsource": "MISC", "url": "https://github.com/ericcornelissen/shescape/releases/tag/v1.5.10"}]}, "source": {"advisory": "GHSA-gp75-h7j6-5pv3", "discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-36064", "datePublished": "2022-09-06T20:55:10", "dateReserved": "2022-07-15T00:00:00", "dateUpdated": "2022-09-06T20:55:10", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:shescape_project:shescape:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "418F1B2D-390F-43F3-AAB2-E208F904AE3A", "versionEndExcluding": "1.5.10", "versionStartIncluding": "1.5.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Shescape is a shell escape package for JavaScript. An Inefficient Regular Expression Complexity vulnerability impacts users that use Shescape to escape arguments for the Unix shells `Bash` and `Dash`, or any not-officially-supported Unix shell; and/or using the `escape` or `escapeAll` functions with the `interpolation` option set to `true`. An attacker can cause polynomial backtracking or quadratic runtime in terms of the input string length due to two Regular Expressions in Shescape that are vulnerable to Regular Expression Denial of Service (ReDoS). This bug has been patched in v1.5.10. For `Dash` only, this bug has been patched since v1.5.9. As a workaround, a maximum length can be enforced on input strings to Shescape to reduce the impact of the vulnerability. It is not recommended to try and detect vulnerable input strings, as the logic for this may end up being vulnerable to ReDoS itself."}, {"lang": "es", "value": "Shescape es un paquete de escape de shell para JavaScript. Una vulnerabilidad en la Complejidad de las Expresiones Regulares Ineficiente afecta a usuarios que usan Shescape para escapar de argumentos para los shells Unix \"Bash\" y \"Dash\", o cualquier shell Unix no soportado oficialmente; y/o usando las funciones \"escape\" o \"escapeAll\" con la opci\u00f3n \"interpolation\" establecida en \"true\". Un atacante puede causar un retroceso polin\u00f3mico o un tiempo de ejecuci\u00f3n cuadr\u00e1tico en t\u00e9rminos de la longitud de la cadena de entrada debido a dos Expresiones Regulares en Shescape que son vulnerables a una Denegaci\u00f3n de Servicio de Expresiones Regulares (ReDoS). Este bug ha sido parcheado en versi\u00f3n v1.5.10. S\u00f3lo para \"Dash\", este bug ha sido parcheado desde la v1.5.9. Como mitigaci\u00f3n, puede imponerse una longitud m\u00e1xima en las cadenas de entrada a Shescape para reducir el impacto de la vulnerabilidad. No es recomendado intentar detectar cadenas de entrada vulnerables, ya que la l\u00f3gica para ello puede acabar siendo vulnerable al propio ReDoS."}], "id": "CVE-2022-36064", "lastModified": "2023-07-21T20:52:48.920", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2022-09-06T21:15:08.697", "references": [{"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://github.com/ericcornelissen/shescape/pull/373"}, {"source": "security-advisories@github.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/ericcornelissen/shescape/releases/tag/v1.5.10"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Issue Tracking", "Mitigation", "Third Party Advisory"], "url": "https://github.com/ericcornelissen/shescape/security/advisories/GHSA-gp75-h7j6-5pv3"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1333"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-1333"}, {"lang": "en", "value": "CWE-400"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}