CVE-2023-49284
"Fish Command Shell Unicode Marker Injection Vulnerability"
Description
fish is a smart and user-friendly command line shell for macOS, Linux, and the rest of the family. fish shell uses certain Unicode non-characters internally for marking wildcards and expansions. It will incorrectly allow these markers to be read on command substitution output, rather than transforming them into a safe internal representation. While this may cause unexpected behavior with direct input (for example, echo \UFDD2HOME has the same output as echo $HOME), this may become a minor security problem if the output is being fed from an external program into a command substitution where this output may not be expected. This design flaw was introduced in very early versions of fish, predating the version control system, and is thought to be present in every version of fish released in the last 15 years or more, although with different characters. Code execution does not appear to be possible, but denial of service (through large brace expansion) or information disclosure (such as variable expansion) is potentially possible under certain circumstances. fish shell 3.6.2 has been released to correct this issue. Users are advised to upgrade. There are no known workarounds for this vulnerability.
INFO
Published Date :
Dec. 5, 2023, 12:15 a.m.
Last Modified :
Dec. 8, 2023, 9:15 p.m.
Source :
[email protected]
Remotely Exploitable :
No
Impact Score :
5.2
Exploitability Score :
1.3
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2023-49284.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2023-49284 vulnerability anywhere in the article.
The following table lists the changes that have been made to the
CVE-2023-49284 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
CVE Modified by [email protected]
May. 14, 2024
Action Type Old Value New Value -
CVE Modified by [email protected]
Dec. 08, 2023
Action Type Old Value New Value Added Reference GitHub, Inc. http://www.openwall.com/lists/oss-security/2023/12/08/1 [No types assigned] -
Initial Analysis by [email protected]
Dec. 08, 2023
Action Type Old Value New Value Added CVSS V3.1 NIST AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:H Changed Reference Type https://github.com/fish-shell/fish-shell/commit/09986f5563e31e2c900a606438f1d60d008f3a14 No Types Assigned https://github.com/fish-shell/fish-shell/commit/09986f5563e31e2c900a606438f1d60d008f3a14 Patch Changed Reference Type https://github.com/fish-shell/fish-shell/security/advisories/GHSA-2j9r-pm96-wp4f No Types Assigned https://github.com/fish-shell/fish-shell/security/advisories/GHSA-2j9r-pm96-wp4f Exploit, Vendor Advisory Added CPE Configuration OR *cpe:2.3:a:fishshell:fish:*:*:*:*:*:*:*:* versions up to (excluding) 3.6.2 -
CVE Received by [email protected]
Dec. 05, 2023
Action Type Old Value New Value Added Description fish is a smart and user-friendly command line shell for macOS, Linux, and the rest of the family. fish shell uses certain Unicode non-characters internally for marking wildcards and expansions. It will incorrectly allow these markers to be read on command substitution output, rather than transforming them into a safe internal representation. While this may cause unexpected behavior with direct input (for example, echo \UFDD2HOME has the same output as echo $HOME), this may become a minor security problem if the output is being fed from an external program into a command substitution where this output may not be expected. This design flaw was introduced in very early versions of fish, predating the version control system, and is thought to be present in every version of fish released in the last 15 years or more, although with different characters. Code execution does not appear to be possible, but denial of service (through large brace expansion) or information disclosure (such as variable expansion) is potentially possible under certain circumstances. fish shell 3.6.2 has been released to correct this issue. Users are advised to upgrade. There are no known workarounds for this vulnerability. Added Reference GitHub, Inc. https://github.com/fish-shell/fish-shell/security/advisories/GHSA-2j9r-pm96-wp4f [No types assigned] Added Reference GitHub, Inc. https://github.com/fish-shell/fish-shell/commit/09986f5563e31e2c900a606438f1d60d008f3a14 [No types assigned] Added CWE GitHub, Inc. CWE-436 Added CVSS V3.1 GitHub, Inc. AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:L
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2023-49284 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2023-49284
weaknesses.
Exploit Prediction
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days.
0.04 }} 0.00%
score
0.07844
percentile