What is CVE-2021-21384?

CVE-2021-21384 is a vulnerability in the shescape package for JavaScript that allows shell injection if a special character is inserted into the payload.

How does CVE-2021-21384 impact users?

CVE-2021-21384 impacts users of shescape versions up to 1.1.3 who are using the package to defend against shell injection vulnerabilities, as it can still be exploited if a special character is inserted into the payload.

What software versions are affected by CVE-2021-21384?

Versions of shescape up to and including 1.1.3 are affected by CVE-2021-21384.

How severe is CVE-2021-21384?

CVE-2021-21384 has a severity rating of 7.8 (high).

How can I fix CVE-2021-21384?

To fix CVE-2021-21384, users should upgrade to shescape version 1.1.3 or later.

Vulnerability/
CVE-2021-21384

high

7.8

CWE

18/3/2021

3/8/2024

CVE-2021-21384: Null characters not escaped in shescape

First published: Thu Mar 18 2021(Updated: )

shescape is a simple shell escape package for JavaScript. In shescape before version 1.1.3, anyone using _Shescape_ to defend against shell injection may still be vulnerable against shell injection if the attacker manages to insert a into the payload. For an example see the referenced GitHub Security Advisory. The problem has been patched in version 1.1.3. No further changes are required.

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
Shescape Project Shescape	<1.1.3
Microsoft Windows
Opengroup Unix

Remedy

https://github.com/ericcornelissen/shescape/commit/07a069a66423809cbedd61d980c11ca44a29ea2b

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2021-21384?
CVE-2021-21384 is a vulnerability in the shescape package for JavaScript that allows shell injection if a special character is inserted into the payload.
How does CVE-2021-21384 impact users?
CVE-2021-21384 impacts users of shescape versions up to 1.1.3 who are using the package to defend against shell injection vulnerabilities, as it can still be exploited if a special character is inserted into the payload.
What software versions are affected by CVE-2021-21384?
Versions of shescape up to and including 1.1.3 are affected by CVE-2021-21384.
How severe is CVE-2021-21384?
CVE-2021-21384 has a severity rating of 7.8 (high).
How can I fix CVE-2021-21384?
To fix CVE-2021-21384, users should upgrade to shescape version 1.1.3 or later.

collector/nvd-index
agent/references
agent/type
agent/softwarecombine
collector/mitre-cve
source/MITRE
agent/remedy
agent/weakness
agent/last-modified-date
agent/severity
agent/author
agent/title
agent/tags
agent/description
agent/event
agent/first-publish-date
vendor/shescape project
canonical/shescape project shescape
vendor/microsoft
canonical/microsoft windows
vendor/opengroup
canonical/opengroup unix

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.