CVE-2022-36064 — MEDIUM (5.9)

Q: How severe is CVE-2022-36064?

CVE-2022-36064 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2022-36064?

Check the references section above for vendor advisories and patch information. Affected products include: Shescape Project Shescape.

Vulnerability Description

Shescape is a shell escape package for JavaScript. An Inefficient Regular Expression Complexity vulnerability impacts users that use Shescape to escape arguments for the Unix shells `Bash` and `Dash`, or any not-officially-supported Unix shell; and/or using the `escape` or `escapeAll` functions with the `interpolation` option set to `true`. An attacker can cause polynomial backtracking or quadratic runtime in terms of the input string length due to two Regular Expressions in Shescape that are vulnerable to Regular Expression Denial of Service (ReDoS). This bug has been patched in v1.5.10. For `Dash` only, this bug has been patched since v1.5.9. As a workaround, a maximum length can be enforced on input strings to Shescape to reduce the impact of the vulnerability. It is not recommended to try and detect vulnerable input strings, as the logic for this may end up being vulnerable to ReDoS itself.

CVSS Score

5.9

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Shescape Project	Shescape	>= 1.5.1, < 1.5.10

Related Weaknesses (CWE)

CWE-400 CWE-1333

References

https://github.com/ericcornelissen/shescape/pull/373Issue TrackingPatchThird Party Advisory
https://github.com/ericcornelissen/shescape/releases/tag/v1.5.10Release NotesThird Party Advisory
https://github.com/ericcornelissen/shescape/security/advisories/GHSA-gp75-h7j6-5ExploitIssue TrackingMitigation
https://github.com/ericcornelissen/shescape/pull/373Issue TrackingPatchThird Party Advisory
https://github.com/ericcornelissen/shescape/releases/tag/v1.5.10Release NotesThird Party Advisory
https://github.com/ericcornelissen/shescape/security/advisories/GHSA-gp75-h7j6-5ExploitIssue TrackingMitigation

FAQ

What is CVE-2022-36064?

CVE-2022-36064 is a vulnerability with a CVSS score of 5.9 (MEDIUM). Shescape is a shell escape package for JavaScript. An Inefficient Regular Expression Complexity vulnerability impacts users that use Shescape to escape arguments for the Unix shells `Bash` and `Dash`,...

How severe is CVE-2022-36064?

CVE-2022-36064 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-36064?

Check the references section above for vendor advisories and patch information. Affected products include: Shescape Project Shescape.