Bug 2043535 (CVE-2022-0144)
Summary: | CVE-2022-0144 nodejs-shelljs: improper privilege management | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | extras-orphan, gparvin, jramanat, michal.skrivanek, mperina, njean, nodejs-sig, pahickey, sbonazzo, sgratch, stcannon, tchollingsworth |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | shelljs 0.8 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in the ShellJS library when the scripts used the exec function. Local users on the filesystem could take advantage of this as they can read the stdout of the ShellJS process. This issue discloses sensitive information, leading to privilege escalation. This flaw allows an attacker to craft stdout files, which leads to crashing the ShellJS scripts running with privileges.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2022-04-21 05:31:01 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2043536, 2044445, 2048436, 2048437, 2048438, 2065487, 2065497 | ||
Bug Blocks: | 2043537 |
Description
Guilherme de Almeida Suckevicz
2022-01-21 13:31:59 UTC
Created nodejs-shelljs tracking bugs for this issue: Affects: epel-7 [bug 2043536] Marking services-rhcert affected/delegated. Affected code present in manifest, but use of affected function not found in cursory review of source. This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7 Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8 Via RHSA-2022:1083 https://access.redhat.com/errata/RHSA-2022:1083 This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8 Via RHSA-2022:1476 https://access.redhat.com/errata/RHSA-2022:1476 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-0144 |