mirror of
https://github.com/CVEProject/cvelist.git
synced 2025-08-04 08:44:25 +00:00
Update CVE-2021-3727.json
This commit is contained in:
Jamie Slome
GitHub
parent
c7490b8c6c
commit
6328bde251
@ -1,18 +1,86 @@
|
||||
{
|
||||
"data_type": "CVE",
|
||||
"data_format": "MITRE",
|
||||
"data_version": "4.0",
|
||||
"CVE_data_meta": {
|
||||
"ID": "CVE-2021-3727",
|
||||
"ASSIGNER": "cve@mitre.org",
|
||||
"STATE": "RESERVED"
|
||||
"CVE_data_meta":{
|
||||
"ASSIGNER":"security@huntr.dev",
|
||||
"ID":"CVE-2021-3727",
|
||||
"STATE":"PUBLIC",
|
||||
"TITLE":"OS Command Injection in ohmyzsh/ohmyzsh"
|
||||
},
|
||||
"affects":{
|
||||
"vendor":{
|
||||
"vendor_data":[
|
||||
{
|
||||
"product":{
|
||||
"product_data":[
|
||||
{
|
||||
"product_name":"ohmyzsh/ohmyzsh",
|
||||
"version":{
|
||||
"version_data":[
|
||||
{
|
||||
"version_affected":"<",
|
||||
"version_value":"72928432"
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
"vendor_name":"ohmyzsh"
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
"data_format":"MITRE",
|
||||
"data_type":"CVE",
|
||||
"data_version":"4.0",
|
||||
"description": {
|
||||
"description_data": [
|
||||
{
|
||||
"lang": "eng",
|
||||
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
|
||||
"value": "# Vulnerability in `rand-quote` and `hitokoto` plugins\n\n**Description**: the `rand-quote` and `hitokoto` fetch quotes from quotationspage.com and hitokoto.cn respectively, do some process on them and then use `print -P` to print them. If these quotes contained the proper symbols, they could trigger command injection. Given that they're an external API, it's not possible to know if the quotes are safe to use.\n\n**Fixed in**: [72928432](https://github.com/ohmyzsh/ohmyzsh/commit/72928432).\n\n**Impacted areas**:\n\n- `rand-quote` plugin (`quote` function).\n- `hitokoto` plugin (`hitokoto` function)."
|
||||
}
|
||||
]
|
||||
},
|
||||
"exploit": [
|
||||
{
|
||||
"lang": "eng",
|
||||
"value": "**Exploit PoC**:\n\n1. Install Oh My Zsh.\n2. Enable the `rand-quote` or `hitokoto` plugins.\n3. Optional: run `quote` or `hitokoto` functions in a precmd hook:\n\n ```zsh\n add-zsh-hook precmd quote\n add-zsh-hook precmd hitokoto\n ```\n\n4. Wait until a quote from either `quotationspage.com` or `hitokoto.cn` contains either\n `$(<injected-command>`, <code>\\`\\<injected-command\\>\\`</code> or `${(e):-\"<injected-command>\"}`.\n\n - For the `rand-quote` plugin, this is how a malicious quote would look like (note the `$(echo PWNED)` part):\n\n ```plain\n ...\n <p>The following quotations were randomly selected from the collections selected below .</p><dl><dt class=\"quote\"><a title=\"Click for further information about this quotation\" href=\"/quote/31081.html\">Whatever you fear most has no power$(echo PWNED) - it is your fear that has the power.</a> </dt><dd class=\"author\"><div class=\"icons\"><a title=\"Further information about this quotation\" href=\"/quote/31081.html\"><img src=\"/icon_info.gif\" width=\"16\" height=\"16\" alt=\"[info]\" border=\"0\"></a><a title=\"Add to Your Quotations Page\" href=\"/myquotations.php?add=31081\"><img src=\"/icon_plus.gif\" width=\"16\" height=\"16\" alt=\"[add]\" border=\"0\"></a><a title=\"Email this quotation\" href=\"/quote/31081.html#email\"><img src=\"/icon_email.gif\" width=\"16\" height=\"16\" alt=\"[mail]\" border=\"0\"></a><img src=\"/icon_blank.gif\" width=\"16\" height=\"16\" alt=\"\" border=\"0\"></div><b><a href=\"/quotes/Oprah_Winfrey/\">Oprah Winfrey</a> (1954 - )</b>, <i>O Magazine</i></dd>\n ...\n ```\n\n Which would be printed by `print -P` as:\n\n ```console\n $ quote\n Oprah Winfrey: “Whatever you fear most has no powerPWNED - it is your fear that has the power.”\n ```\n\n Note that it's possible to submit your own quotes to quotationspage.com so this could be possible if moderators missed it.\n\n - For the `hitokoto` plugin, this is an example of a malicious quote (note the `$(echo PWNED)` part):\n\n ```plain\n {\"id\":7474,\"uuid\":\"0467d7cf-bca2-4cee-81ab-0b0640e51069\",\"hitokoto\":\"她拨弄琴弦,$(echo PWNED)扬起潮汐。\",\"type\":\"e\",\"from\":\"原创\",\"from_who\":\"我\",\"creator\":\"鸢尾\",\"creator_uid\":9969,\"reviewer\":4756,\"commit_from\":\"web\",\"created_at\":\"1627968443\",\"length\":11}\n ```\n\n Which would be printed by `print -P` as:\n\n ```console\n $ hitokoto\n 原创: “她拨弄琴弦,PWNED扬起潮汐。”\n ```\n\n `hitokoto.cn` also allows adding quotes to the database, so this could also be possible.\n"
|
||||
}
|
||||
],
|
||||
"impact":{
|
||||
"cvss":{
|
||||
"attackComplexity":"HIGH",
|
||||
"attackVector":"NETWORK",
|
||||
"availabilityImpact":"HIGH",
|
||||
"baseScore":7.5,
|
||||
"baseSeverity":"MEDIUM",
|
||||
"confidentialityImpact":"HIGH",
|
||||
"integrityImpact":"HIGH",
|
||||
"privilegesRequired":"NONE",
|
||||
"scope":"UNCHANGED",
|
||||
"userInteraction":"REQUIRED",
|
||||
"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
|
||||
"version":"3.1"
|
||||
}
|
||||
},
|
||||
"problemtype":{
|
||||
"problemtype_data":[
|
||||
{
|
||||
"description":[
|
||||
{
|
||||
"lang":"eng",
|
||||
"value":"CWE-78 OS Command Injection"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
},
|
||||
"references":{
|
||||
"reference_data":[
|
||||
{
|
||||
"name":"https://github.com/ohmyzsh/ohmyzsh/commit/72928432",
|
||||
"refsource":"MISC",
|
||||
"url":"https://github.com/ohmyzsh/ohmyzsh/commit/72928432"
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user