CVE-2023-30844Improper Encoding or Escaping of Output in Mutagen-io Mutagen

CWE-116Improper Encoding or Escaping of OutputCWE-150Improper Neutralization of Escape, Meta, or Control Sequences4 documents3 sources
Severity
8.8HIGHNVD
GHSA7.5OSV7.5
EPSS
0.5%
top 34.13%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Github.com Mutagen-io MutagenGithub.com Mutagen-io Mutagen-composeMutagen+1 more
Timeline
PublishedMay 8
Latest updateAug 20

Description

Mutagen provides real-time file synchronization and flexible network forwarding for developers. Prior to versions 0.16.6 and 0.17.1 in `mutagen` and prior to version 0.17.1 in `mutagen-compose`, Mutagen `list` and `monitor` commands are susceptible to control characters that could be provided by remote endpoints. This could cause terminal corruption, either intentional or unintentional, if these characters were present in error messages or file paths/names. This could be used as an attack vector

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages4 packages

NVDmutagen/mutagen< 0.16.6+1
Gogithub.com/mutagen-io_mutagen0.17.00.17.1+1

🔴Vulnerability Details

3
OSV
Mutagen list and monitor operations do not neutralize control characters in text controlled by remote endpoints in github.com/mutagen-io/mutagen2024-08-20
GHSA
Mutagen list and monitor operations do not neutralize control characters in text controlled by remote endpoints2023-05-05
OSV
Mutagen list and monitor operations do not neutralize control characters in text controlled by remote endpoints2023-05-05
CVE-2023-30844 — Mutagen-io Mutagen vulnerability | cvebase