Bug 1228389 (CVE-2024-41815) - VUL-0: CVE-2024-41815: starship: Undocumented and unpredictable shell expansion in custom commands can lead to shell injection
Summary: VUL-0: CVE-2024-41815: starship: Undocumented and unpredictable shell expansi...
Status: NEW
Alias: CVE-2024-41815
Product: openSUSE Distribution
Classification: openSUSE
Component: Security (show other bugs)
Version: Leap 15.6
Hardware: Other Other
: P3 - Medium : Normal (vote)
Target Milestone: ---
Assignee: Dead Mozay
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/415272/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-07-29 06:58 UTC by SMASH SMASH
Modified: 2024-07-29 08:38 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2024-07-29 06:58:24 UTC 
Starship is a cross-shell prompt. Starting in version 1.0.0 and prior to version 1.20.0, undocumented and unpredictable shell expansion and/or quoting rules make it easily to accidentally cause shell injection when using custom commands with starship in bash. This issue only affects users with custom commands, so the scope is limited, and without knowledge of others' commands, it could be hard to successfully target someone. Version 1.20.0 fixes the vulnerability.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-41815
https://www.cve.org/CVERecord?id=CVE-2024-41815
https://github.com/starship/starship/commit/cfc58161e0ec595db90af686ad77a73df6d44d74
https://github.com/starship/starship/releases/tag/v1.20.0
https://github.com/starship/starship/security/advisories/GHSA-vx24-x4mv-vwr5
Comment 1 Dead Mozay 2024-07-29 07:03:01 UTC 
https://build.opensuse.org/request/show/1190074
Comment 2 Thomas Leroy 2024-07-29 08:10:26 UTC 
openSUSE:Backports:SLE-15-SP5 and openSUSE:Backports:SLE-15-SP6 are also affected.