Bug 2043535 (CVE-2022-0144)

Summary: CVE-2022-0144 nodejs-shelljs: improper privilege management
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: extras-orphan, gparvin, jramanat, michal.skrivanek, mperina, njean, nodejs-sig, pahickey, sbonazzo, sgratch, stcannon, tchollingsworth
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: shelljs 0.8 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the ShellJS library when the scripts used the exec function. Local users on the filesystem could take advantage of this as they can read the stdout of the ShellJS process. This issue discloses sensitive information, leading to privilege escalation. This flaw allows an attacker to craft stdout files, which leads to crashing the ShellJS scripts running with privileges.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-04-21 05:31:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2043536, 2044445, 2048436, 2048437, 2048438, 2065487, 2065497    
Bug Blocks: 2043537    

Description Guilherme de Almeida Suckevicz 2022-01-21 13:31:59 UTC 
shelljs is vulnerable to improper pPrivilege management.

Reference:
https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c

Upstream patch:
https://github.com/shelljs/shelljs/commit/d919d22dd6de385edaa9d90313075a77f74b338c
Comment 1 Guilherme de Almeida Suckevicz 2022-01-21 13:32:39 UTC 
Created nodejs-shelljs tracking bugs for this issue:

Affects: epel-7 [bug 2043536]
Comment 2 juneau 2022-01-24 16:06:20 UTC 
Marking services-rhcert affected/delegated. Affected code present in manifest, but use of affected function not found in cursory review of source.
Comment 5 errata-xmlrpc 2022-03-28 19:36:29 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7
  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8

Via RHSA-2022:1083 https://access.redhat.com/errata/RHSA-2022:1083
Comment 6 errata-xmlrpc 2022-04-20 23:46:04 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8

Via RHSA-2022:1476 https://access.redhat.com/errata/RHSA-2022:1476
Comment 7 Product Security DevOps Team 2022-04-21 05:30:59 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-0144