Command Injection in ascii-art
Low severity
GitHub Reviewed
Published
Sep 1, 2020
to the GitHub Advisory Database
•
Updated Jan 9, 2023
Description
Reviewed
Aug 31, 2020
Published to the GitHub Advisory Database
Sep 1, 2020
Last updated
Jan 9, 2023
Versions of
ascii-art
before 1.4.4 are vulnerable to command injection. This is exploitable when user input is passed into the argument of theascii-art preview
command.Example Proof of concept:
ascii-art preview 'doom"; touch /tmp/malicious; echo "'
Given that the input is passed on the command line and none of the api methods are vulnerable to this, the likely exploitation vector is when the ascii-art comment is being called programmatically using something like
execFile
.Recommendation
Update to version 1.4.4 or later.
References