Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-2c47-m757-32g6: Insufficient input sanitization in ejson2env

Summary

The ejson2env tool has a vulnerability related to how it writes to stdout. Specifically, the tool is intended to write an export statement for environment variables and their values. However, due to inadequate output sanitization, there is a potential risk where variable names or values may include malicious content, resulting in additional unintended commands being output to stdout. If this output is improperly utilized in further command execution, it could lead to command injection vulnerabilities, allowing an attacker to execute arbitrary commands on the host system.

Details

The vulnerability exists because environment variables are not properly sanitized during the decryption phase, which enables malicious keys or encrypted values to inject commands.

Impact

An attacker with control over .ejson files can inject commands in the environment where source $(ejson2env) or eval ejson2env are executed.

Mitigation

  • Update to a version of ejson2env that sanitizes the output during decryption or
  • Do not use ejson2env to decrypt untrusted user secrets or
  • Do not evaluate or execute the direct output from ejson2env without removing nonprintable characters.

Credit

Thanks to security researcher Demonia for reporting this issue.

ghsa
Open in Source
#vulnerability#js#perl

Summary

The ejson2env tool has a vulnerability related to how it writes to stdout. Specifically, the tool is intended to write an export statement for environment variables and their values. However, due to inadequate output sanitization, there is a potential risk where variable names or values may include malicious content, resulting in additional unintended commands being output to stdout. If this output is improperly utilized in further command execution, it could lead to command injection vulnerabilities, allowing an attacker to execute arbitrary commands on the host system.

Details

The vulnerability exists because environment variables are not properly sanitized during the decryption phase, which enables malicious keys or encrypted values to inject commands.

Impact

An attacker with control over .ejson files can inject commands in the environment where source $(ejson2env) or eval ejson2env are executed.

Mitigation

  • Update to a version of ejson2env that sanitizes the output during decryption or
  • Do not use ejson2env to decrypt untrusted user secrets or
  • Do not evaluate or execute the direct output from ejson2env without removing nonprintable characters.

Credit

Thanks to security researcher Demonia for reporting this issue.

References

  • GHSA-2c47-m757-32g6
  • Shopify/ejson2env@592b3ce

ghsa: Latest News

GHSA-c37v-3c8w-crq8: zot logs secrets
ghsa