Candidate: CVE-2021-42740
PublicDate: 2021-10-21 15:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42740
 https://github.com/substack/node-shell-quote/commit/5799416ed454aa4ec9afafc895b4e31760ea1abe
 https://www.npmjs.com/package/shell-quote
 https://github.com/substack/node-shell-quote/blob/master/CHANGELOG.md#173
Description:
 The shell-quote package before 1.7.3 for Node.js allows command injection.
 An attacker can inject unescaped shell metacharacters through a regex
 designed to support Windows drive letters. If the output of this package is
 passed to a real shell as a quoted argument to a command with exec(), an
 attacker can inject arbitrary commands. This is because the Windows drive
 letter regex character class is {A-z] instead of the correct {A-Za-z].
 Several shell metacharacters exist in the space between capital letter Z
 and lower case letter a, such as the backtick character.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]


Patches_node-shell-quote:
upstream_node-shell-quote: needs-triage
trusty_node-shell-quote: ignored (out of standard support)
xenial_node-shell-quote: ignored (out of standard support)
bionic_node-shell-quote: needed
focal_node-shell-quote: DNE
hirsute_node-shell-quote: DNE
impish_node-shell-quote: DNE
jammy_node-shell-quote: not-affected (1.7.3+~1.7.1-1)
devel_node-shell-quote: not-affected (1.7.3+~1.7.1-1)