Skip to main content

Test Results

Vulnerabilities

 1 via 1 paths

Dependencies

 35

Source

 GitHub

Commit

 7509dc78

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Issue type
  • 1
  • 1
Severity
  • 2
Status
  • 2
  • 0
  • 0

medium severity

Information Exposure

  • Vulnerable module: shescape
  • Introduced through: shescape@2.1.0

Detailed paths

  • Introduced through: @snyk/snyk-cocoapods-plugin@snyk/snyk-cocoapods-plugin#7509dc7896ab35775a19f46e0146fcae0d901461 shescape@2.1.0
    Remediation: Upgrade to shescape@2.1.2.

Overview

shescape is a simple shell escape library

Affected versions of this package are vulnerable to Information Exposure due to the configuration of shell parameter. An attacker can gain read-only access to environment variables by manipulating input parameters such as quote, quoteAll, escape, or escapeAll.

Note: This is only exploitable if the attacker is a user of Shescape on Windows that explicitly configures shell: cmd.exe or shell: true using any of quote/quoteAll/escape/escapeAll.

Workaround

This vulnerability can be mitigated by removing all instances of % from user input before using Shescape.

Remediation

Upgrade shescape to version 2.1.2 or higher.

References

Information Exposure vulnerability report

medium severity

MPL-2.0 license

  • Module: shescape
  • Introduced through: shescape@2.1.0

Detailed paths

  • Introduced through: @snyk/snyk-cocoapods-plugin@snyk/snyk-cocoapods-plugin#7509dc7896ab35775a19f46e0146fcae0d901461 shescape@2.1.0

MPL-2.0 license

MPL-2.0 license vulnerability report