Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS12eDI0LXg0bXYtdndyNc4AA-I4

High EPSS: 0.00333% (0.55583 Percentile) EPSS:
Permalink JSON

Starship vulnerable to shell injection via undocumented, unpredictable shell expansion in custom commands

Affected Packages Affected Versions Fixed Versions
cargo:starship
PURL: pkg:cargo/starship
>= 1.0.0, <= 1.19.0 1.20.0
3 Dependent packages
1 Dependent repositories
596,672 Downloads total

Affected Version Ranges

All affected versions

1.0.0, 1.1.0, 1.1.1, 1.2.0, 1.2.1, 1.3.0, 1.4.0, 1.4.2, 1.5.4, 1.6.2, 1.6.3, 1.7.0, 1.7.1, 1.8.0, 1.9.1, 1.10.0, 1.10.1, 1.10.2, 1.10.3, 1.11.0, 1.12.0, 1.13.1, 1.14.1, 1.14.2, 1.15.0, 1.16.0, 1.17.0, 1.17.1, 1.18.1, 1.18.2, 1.19.0

All unaffected versions

0.2.0, 0.3.0, 0.3.1, 0.3.2, 0.4.0, 0.4.1, 0.5.0, 0.6.0, 0.7.0, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.8.5, 0.8.6, 0.8.7, 0.9.0, 0.9.1, 0.10.0, 0.10.1, 0.11.0, 0.12.0, 0.12.1, 0.12.2, 0.13.0, 0.13.1, 0.14.0, 0.14.1, 0.15.0, 0.16.0, 0.17.0, 0.18.0, 0.19.0, 0.20.1, 0.20.2, 0.21.0, 0.22.0, 0.23.0, 0.24.0, 0.25.0, 0.25.1, 0.25.2, 0.26.0, 0.26.2, 0.26.3, 0.26.4, 0.26.5, 0.27.0, 0.28.0, 0.29.0, 0.30.0, 0.30.1, 0.31.0, 0.32.0, 0.32.1, 0.32.2, 0.33.0, 0.33.1, 0.34.1, 0.35.1, 0.36.0, 0.36.1, 0.37.0, 0.37.1, 0.38.0, 0.38.1, 0.39.0, 0.40.0, 0.40.1, 0.41.0, 0.41.1, 0.41.2, 0.41.3, 0.42.0, 0.43.0, 0.44.0, 0.45.0, 0.45.1, 0.45.2, 0.46.0, 0.46.2, 0.47.0, 0.48.0, 0.49.0, 0.50.0, 0.51.0, 0.52.1, 0.53.0, 0.54.0, 0.55.0, 0.56.0, 0.57.0, 0.58.0, 1.20.1, 1.21.0, 1.21.1, 1.22.0, 1.22.1, 1.23.0

Description

Starship is a cross-shell prompt. Starting in version 1.0.0 and prior to version 1.20.0, undocumented and unpredictable shell expansion and/or quoting rules make it easily to accidentally cause shell injection when using custom commands with starship in bash. Version 1.20.0 fixes the vulnerability.

PoC

Have some custom command which prints out information from a potentially untrusted/unverified source.

[custom.git_commit_name]
command = 'git show -s --format="%<(25,mtrunc)%s"'
style = "italic"
when = true

Impact

This issue only affects users with custom commands, so the scope is limited, and without knowledge of others' commands, it could be hard to successfully target someone.

References:

Identifiers

GHSA-vx24-x4mv-vwr5

CVE-2024-41815

Risk

Severity

High

EPSS

EPSS Percentage: 0.00333

EPSS Percentile: 0.55583

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/starship/starship

Date and time

Published

about 1 year ago

Updated

12 months ago

API

JSON