2383791 – (CVE-2024-58266) CVE-2024-58266 shlex: Shlex Command Injection Vulnerability

Bug 2383791 (CVE-2024-58266) - CVE-2024-58266 shlex: Shlex Command Injection Vulnerability

Summary: CVE-2024-58266 shlex: Shlex Command Injection Vulnerability

Keywords:
Status:	NEW
Alias:	CVE-2024-58266
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2383832 2383833 2383835 2383837 2383839 2383840 2383842 2383834 2383836 2383838 2383841
Blocks:
TreeView+	depends on / blocked

Reported:	2025-07-27 22:01 UTC by OSIDB Bzimport
Modified:	2025-09-17 12:53 UTC (History)
CC List:	41 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-07-27 22:01:15 UTC

The shlex crate before 1.2.1 for Rust allows unquoted and unescaped instances of the { and \xa0 characters, which may facilitate command injection.

Comment 2 Fabio Valentini 2025-07-29 20:36:56 UTC

Why was this filed *now*? This was previously published as RUSTSEC-2024-0006, and has been fixed in versions 1.2.1 / 1.3.0 of the shlex crate one-and-a-half years ago.

Note You need to log in before you can comment on or make changes to this bug.

anthomas
brasmith
bsmejkal
cochase
dbosanac
decathorpe
dranck
ehelms
ggainey
gotiwari
jachapma
jcantril
jgrulich
jhorak
jreimann
juwatts
jwendell
lball
mdessi
mhulan
mrizzi
mvyas
ngough
nmoumoul
osousa
pcattana
pcreech
periklis
progier
rcernich
rchan
rojacob
smallamp
spichugi
ssidhaye
tbordaz
teagle
tmalecek
tpopela
vashirov
veshanka