CVE-2022-0144
Improper Privilege Management vulnerability in shelljs (npm)
What is CVE-2022-0144 About?
This vulnerability is an improper privilege management flaw in the `shelljs` library. This type of vulnerability allows an attacker to execute operations with higher privileges than intended, potentially leading to system compromise. Exploitation details are not provided but often involve specific command execution contexts.
Affected Software
Technical Details
The vulnerability in shelljs concerns improper privilege management. This typically means that the library, when executing shell commands or scripts, fails to adequately impose proper privilege boundaries. This could manifest in several ways, such as allowing a user with low privileges to execute commands with the privileges of the system running shelljs, or inheriting unintended elevated permissions when child processes are spawned. The consequence is that operations that should be restricted are allowed, potentially leading to unauthorized system changes or data access.
What is the Impact of CVE-2022-0144?
Successful exploitation may allow attackers to execute arbitrary code with elevated privileges, potentially leading to full system compromise, unauthorized data access, or denial of service.
What is the Exploitability of CVE-2022-0144?
Exploitation complexity is not detailed but typically involves understanding the specific contexts in which shelljs is used and how it handles command execution and privilege inheritance. It often requires local access or the ability to inject commands into a process that utilizes shelljs. Authentication requirements depend on the surrounding application's access model. No special conditions are mentioned, however, the attack would likely involve leveraging a component that uses shelljs in an insecure manner. Risk factors include shelljs being used in sensitive operations, or with inadequate input validation for commands.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-0144?
About the Fix from Resolved Security
The patch ensures that temporary files created by execSync are only readable and writable by the current user (permission mode 600), preventing other users from accessing sensitive data or pre-creating files with restrictive permissions. This directly addresses and fixes CVE-2022-0144, a privilege management vulnerability where temporary file permissions could allow unauthorized access or manipulation by other users.
Available Upgrade Options
- shelljs
- <0.8.5 → Upgrade to 0.8.5
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/shelljs/shelljs/commit/d919d22dd6de385edaa9d90313075a77f74b338c
- https://github.com/shelljs/shelljs
- https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c
- https://nvd.nist.gov/vuln/detail/CVE-2022-0144
- https://github.com/shelljs/shelljs/commit/d919d22dd6de385edaa9d90313075a77f74b338c
- https://osv.dev/vulnerability/GHSA-4rq4-32rv-6wp6
- https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c
What are Similar Vulnerabilities to CVE-2022-0144?
Similar Vulnerabilities: CVE-2023-48767 , CVE-2023-47209 , CVE-2023-47000 , CVE-2023-46608 , CVE-2023-46231
