Arbitrary Code Injection Affecting bikeshed package, versions [,3.0.0)
Snyk CVSS
Attack Complexity
Low
User Interaction
Required
Confidentiality
High
Integrity
High
Availability
High
Threat Intelligence
EPSS
0.07% (29th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-BIKESHED-1537646
- published 15 Aug 2021
- disclosed 15 Aug 2021
- credit apple502j
Introduced: 15 Aug 2021
CVE-2021-23422 Open this link in a new tabHow to fix?
Upgrade bikeshed
to version 3.0.0 or higher.
Overview
bikeshed is a pre-processor for spec documents.
Affected versions of this package are vulnerable to Arbitrary Code Injection. This can occur when an untrusted source file containing Inline Tag Command
metadata is processed. When an arbitrary OS command is executed, the command output would be included in the HTML output.