internal/genericosv/testdata/yaml/GHSA-jmp2-wc4p-wfh2.yaml - vulndb - Git at Google

 id: GO-TEST-ID
 modules:
     - module: github.com/mutagen-io/mutagen
       versions:
         - fixed: 0.16.6
         - introduced: 0.17.0
           fixed: 0.17.1
       vulnerable_at: 0.17.0
     - module: github.com/mutagen-io/mutagen-compose
       versions:
         - fixed: 0.17.1
       vulnerable_at: 0.17.0
 summary: |-
     Mutagen list and monitor operations do not neutralize control characters in text
     controlled by remote endpoints in github.com/mutagen-io/mutagen
 description: |-
     ### Impact

     Mutagen command line operations, as well as the log output from `mutagen daemon
     run`, are susceptible to control characters that could be provided by remote
     endpoints. This can cause terminal corruption, either intentional or
     unintentional, if these characters are present in error messages, file
     paths/names, and/or log output. This could be used as an attack vector if
     synchronizing with an untrusted remote endpoint, synchronizing files not under
     control of the user, or forwarding to/from an untrusted remote endpoint. On very
     old systems with terminals susceptible to issues such as
     [CVE-2003-0069](https://nvd.nist.gov/vuln/detail/CVE-2003-0069), the issue could
     theoretically cause code execution.

     ### Patches

     The problem has been patched in Mutagen v0.16.6 and v0.17.1. Earlier versions of
     Mutagen are no longer supported and will not be patched. Versions of Mutagen
     after v0.18.0 will also have the patch merged.

     One caveat is that the templating functionality of Mutagen's `list` and
     `monitor` commands has been only partially patched. In particular, the `json`
     template function already provided escaping and no patching was necessary.
     However, raw template output has been left unescaped because this raw output may
     be necessary for commands which embed Mutagen. To aid these commands, a new
     `shellSanitize` template function has been added which provides control
     character neutralization in strings.

     ### Workarounds

     Avoiding synchronization of untrusted files or interaction with untrusted remote
     endpoints should mitigate any risk.

     ### References

     A similar issue can be seen in kubernetes/kubernetes#101695.
 cves:
     - CVE-2023-30844
 ghsas:
     - GHSA-jmp2-wc4p-wfh2
 references:
     - advisory: https://github.com/mutagen-io/mutagen/security/advisories/GHSA-jmp2-wc4p-wfh2
     - web: https://github.com/mutagen-io/mutagen/releases/tag/v0.16.6
     - web: https://github.com/mutagen-io/mutagen/releases/tag/v0.17.1
 notes:
     - lint: 'description: possible markdown formatting (found ### )'
     - lint: 'description: possible markdown formatting (found [CVE-2003-0069](https://nvd.nist.gov/vuln/detail/CVE-2003-0069))'
     - lint: 'description: possible markdown formatting (found `list`)'
     - lint: 'summary: too long (found 144 characters, want <=125)'
 source:
     id: GHSA-jmp2-wc4p-wfh2
	id: GO-TEST-ID
	modules:
	- module: github.com/mutagen-io/mutagen
	versions:
	- fixed: 0.16.6
	- introduced: 0.17.0
	fixed: 0.17.1
	vulnerable_at: 0.17.0
	- module: github.com/mutagen-io/mutagen-compose
	versions:
	- fixed: 0.17.1
	vulnerable_at: 0.17.0
	summary: \|-
	Mutagen list and monitor operations do not neutralize control characters in text
	controlled by remote endpoints in github.com/mutagen-io/mutagen
	description: \|-
	### Impact

	Mutagen command line operations, as well as the log output from `mutagen daemon
	run`, are susceptible to control characters that could be provided by remote
	endpoints. This can cause terminal corruption, either intentional or
	unintentional, if these characters are present in error messages, file
	paths/names, and/or log output. This could be used as an attack vector if
	synchronizing with an untrusted remote endpoint, synchronizing files not under
	control of the user, or forwarding to/from an untrusted remote endpoint. On very
	old systems with terminals susceptible to issues such as
	[CVE-2003-0069](https://nvd.nist.gov/vuln/detail/CVE-2003-0069), the issue could
	theoretically cause code execution.

	### Patches

	The problem has been patched in Mutagen v0.16.6 and v0.17.1. Earlier versions of
	Mutagen are no longer supported and will not be patched. Versions of Mutagen
	after v0.18.0 will also have the patch merged.

	One caveat is that the templating functionality of Mutagen's `list` and
	`monitor` commands has been only partially patched. In particular, the `json`
	template function already provided escaping and no patching was necessary.
	However, raw template output has been left unescaped because this raw output may
	be necessary for commands which embed Mutagen. To aid these commands, a new
	`shellSanitize` template function has been added which provides control
	character neutralization in strings.

	### Workarounds

	Avoiding synchronization of untrusted files or interaction with untrusted remote
	endpoints should mitigate any risk.

	### References

	A similar issue can be seen in kubernetes/kubernetes#101695.
	cves:
	- CVE-2023-30844
	ghsas:
	- GHSA-jmp2-wc4p-wfh2
	references:
	- advisory: https://github.com/mutagen-io/mutagen/security/advisories/GHSA-jmp2-wc4p-wfh2
	- web: https://github.com/mutagen-io/mutagen/releases/tag/v0.16.6
	- web: https://github.com/mutagen-io/mutagen/releases/tag/v0.17.1
	notes:
	- lint: 'description: possible markdown formatting (found ### )'
	- lint: 'description: possible markdown formatting (found [CVE-2003-0069](https://nvd.nist.gov/vuln/detail/CVE-2003-0069))'
	- lint: 'description: possible markdown formatting (found `list`)'
	- lint: 'summary: too long (found 144 characters, want <=125)'
	source:
	id: GHSA-jmp2-wc4p-wfh2