CVE-2023-49284Interpretation Conflict in Fish-shell

CWE-436Interpretation Conflict4 documents4 sources
Severity
6.6MEDIUMNVD
EPSS
0.1%
top 75.08%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Fish-shellFishshell FishDebian Fish+1 more
Timeline
PublishedDec 5
Latest updateDec 12

Description

fish is a smart and user-friendly command line shell for macOS, Linux, and the rest of the family. fish shell uses certain Unicode non-characters internally for marking wildcards and expansions. It will incorrectly allow these markers to be read on command substitution output, rather than transforming them into a safe internal representation. While this may cause unexpected behavior with direct input (for example, echo \UFDD2HOME has the same output as echo $HOME), this may become a minor securi

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:HExploitability: 1.3 | Impact: 5.2

Affected Packages5 packages

NVDfishshell/fish< 3.6.2
CVEListV5fish-shell/fish-shell< 3.6.2
Debianfishshell/fish< 3.6.0-3.1+deb12u1+2
debiandebian/fish< fish 3.6.0-3.1+deb12u1 (bookworm)

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

1
OSV
CVE-2023-49284: fish is a smart and user-friendly command line shell for macOS, Linux, and the rest of the family2023-12-05

📋Vendor Advisories

2
Microsoft
Command substitution output can trigger shell expansion in fish shell2023-12-12
Debian
CVE-2023-49284: fish - fish is a smart and user-friendly command line shell for macOS, Linux, and the r...2023
CVE-2023-49284 — Interpretation Conflict in Fish-shell | cvebase