CVE-2021-3726 (GCVE-0-2021-3726)

Vulnerability from cvelistv5 – Published: 2021-11-30 09:30 – Updated: 2024-08-03 17:01
VLAI?
Title
OS Command Injection in ohmyzsh/ohmyzsh
Summary
# Vulnerability in `title` function **Description**: the `title` function defined in `lib/termsupport.zsh` uses `print` to set the terminal title to a user-supplied string. In Oh My Zsh, this function is always used securely, but custom user code could use the `title` function in a way that is unsafe. **Fixed in**: [a263cdac](https://github.com/ohmyzsh/ohmyzsh/commit/a263cdac). **Impacted areas**: - `title` function in `lib/termsupport.zsh`. - Custom user code using the `title` function.
Severity ?
7.5 (High)
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE
  • CWE-78 - OS Command Injection
Assigner
References
Impacted products
Vendor Product Version
ohmyzsh ohmyzsh/ohmyzsh Affected: unspecified , < a263cdac (custom)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T17:01:08.345Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/ohmyzsh/ohmyzsh/commit/a263cdac"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "ohmyzsh/ohmyzsh",
          "vendor": "ohmyzsh",
          "versions": [
            {
              "lessThan": "a263cdac",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "# Vulnerability in `title` function **Description**: the `title` function defined in `lib/termsupport.zsh` uses `print` to set the terminal title to a user-supplied string. In Oh My Zsh, this function is always used securely, but custom user code could use the `title` function in a way that is unsafe. **Fixed in**: [a263cdac](https://github.com/ohmyzsh/ohmyzsh/commit/a263cdac). **Impacted areas**: - `title` function in `lib/termsupport.zsh`. - Custom user code using the `title` function."
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "value": "**Exploit PoC**:\n\n1. Install Oh My Zsh.\n2. Add a custom function that calls `title` to set the terminal title with a user-supplied string.\n   For example:\n\n   ```sh\n   function dirpath_in_title {\n     title \"$PWD\"\n   }\n   add-zsh-hook precmd dirpath_in_title\n   ```\n\n3. Create and cd into a directory with a subshell command as its name:\n\n   ```sh\n   baddir=\u0027`echo pwned \u0026\u0026 id`\u0027\n   mkdir \"$baddir\" \u0026\u0026 cd \"$baddir\"\n   ```\n\n4. The `title` function incorrectly expands the subshell command (see screenshot):\n\n   ![2 title_function poc](https://user-images.githubusercontent.com/1441704/142874935-341ddd3c-21e8-4b9e-a5c1-77c0b3debacc.png)"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-78",
              "description": "CWE-78 OS Command Injection",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-11-30T09:30:15",
        "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "shortName": "@huntrdev"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/ohmyzsh/ohmyzsh/commit/a263cdac"
        }
      ],
      "title": "OS Command Injection in ohmyzsh/ohmyzsh",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@huntr.dev",
          "ID": "CVE-2021-3726",
          "STATE": "PUBLIC",
          "TITLE": "OS Command Injection in ohmyzsh/ohmyzsh"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "ohmyzsh/ohmyzsh",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_value": "a263cdac"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "ohmyzsh"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "# Vulnerability in `title` function **Description**: the `title` function defined in `lib/termsupport.zsh` uses `print` to set the terminal title to a user-supplied string. In Oh My Zsh, this function is always used securely, but custom user code could use the `title` function in a way that is unsafe. **Fixed in**: [a263cdac](https://github.com/ohmyzsh/ohmyzsh/commit/a263cdac). **Impacted areas**: - `title` function in `lib/termsupport.zsh`. - Custom user code using the `title` function."
            }
          ]
        },
        "exploit": [
          {
            "lang": "en",
            "value": "**Exploit PoC**:\n\n1. Install Oh My Zsh.\n2. Add a custom function that calls `title` to set the terminal title with a user-supplied string.\n   For example:\n\n   ```sh\n   function dirpath_in_title {\n     title \"$PWD\"\n   }\n   add-zsh-hook precmd dirpath_in_title\n   ```\n\n3. Create and cd into a directory with a subshell command as its name:\n\n   ```sh\n   baddir=\u0027`echo pwned \u0026\u0026 id`\u0027\n   mkdir \"$baddir\" \u0026\u0026 cd \"$baddir\"\n   ```\n\n4. The `title` function incorrectly expands the subshell command (see screenshot):\n\n   ![2 title_function poc](https://user-images.githubusercontent.com/1441704/142874935-341ddd3c-21e8-4b9e-a5c1-77c0b3debacc.png)"
          }
        ],
        "impact": {
          "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-78 OS Command Injection"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/ohmyzsh/ohmyzsh/commit/a263cdac",
              "refsource": "MISC",
              "url": "https://github.com/ohmyzsh/ohmyzsh/commit/a263cdac"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
    "assignerShortName": "@huntrdev",
    "cveId": "CVE-2021-3726",
    "datePublished": "2021-11-30T09:30:15",
    "dateReserved": "2021-08-19T00:00:00",
    "dateUpdated": "2024-08-03T17:01:08.345Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-3726\",\"sourceIdentifier\":\"security@huntr.dev\",\"published\":\"2021-11-30T10:15:08.883\",\"lastModified\":\"2024-11-21T06:22:15.633\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"# Vulnerability in `title` function **Description**: the `title` function defined in `lib/termsupport.zsh` uses `print` to set the terminal title to a user-supplied string. In Oh My Zsh, this function is always used securely, but custom user code could use the `title` function in a way that is unsafe. **Fixed in**: [a263cdac](https://github.com/ohmyzsh/ohmyzsh/commit/a263cdac). **Impacted areas**: - `title` function in `lib/termsupport.zsh`. - Custom user code using the `title` function.\"},{\"lang\":\"es\",\"value\":\"# Vulnerabilidad en la funci\u00f3n \\\"title\\\" **Descripci\u00f3n**: la funci\u00f3n \\\"title\\\" definida en \\\"lib/termsupport.zsh\\\" usa \\\"print\\\" para establecer el t\u00edtulo de la terminal a una cadena proporcionada por el usuario. En Oh My Zsh, esta funci\u00f3n es siempre usada de forma segura, pero el c\u00f3digo de usuario personalizado podr\u00eda usar la funci\u00f3n \\\"title\\\" de forma no segura. **Corregido en**: [a263cdac](https://github.com/ohmyzsh/ohmyzsh/commit/a263cdac). **\u00c1reas afectadas**: - Funci\u00f3n \\\"title\\\" en \\\"lib/termsupport.zsh\\\". - C\u00f3digo de usuario personalizado usando la funci\u00f3n \\\"title\\\"\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@huntr.dev\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.6,\"impactScore\":5.9},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\"baseScore\":7.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"security@huntr.dev\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-78\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:planetargon:oh_my_zsh:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2021-11-11\",\"matchCriteriaId\":\"80FD5E81-3E73-4921-925C-E55098EAE4B1\"}]}]}],\"references\":[{\"url\":\"https://github.com/ohmyzsh/ohmyzsh/commit/a263cdac\",\"source\":\"security@huntr.dev\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/ohmyzsh/ohmyzsh/commit/a263cdac\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.