CVE Tools
Sign in

CVE-2024-42482

fish-shop/syntax-check Improper Neutralization of Delimiters

Published: Aug 12, 2024Updated: Sep 17, 2024 Sources: CVE List NVD GHSACWE-140
NVD MITRE
4.8CVSSMEDIUM
EPSS Score
0.8%
Top 47.6%
CISA KEV
Not in KEV
Exploits
No Known Exploits
Remediation
Patch Available

Description

fish-shop/syntax-check is a GitHub action for syntax checking fish shell files. Improper neutralization of delimiters in the `pattern` input (specifically the command separator `;` and command substitution characters `(` and `)`) mean that arbitrary command injection is possible by modification of the input value used in a workflow. This has the potential for exposure or exfiltration of sensitive information from the workflow runner, such as might be achieved by sending environment variables to an external entity. It is recommended that users update to the patched version `v1.6.12` or the latest release version `v2.0.0`, however remediation may be possible through careful control of workflows and the `pattern` input value used by this action.

CVSS Vector Breakdown

AV:NAC:HPR:NUI:NS:UC:LI:LA:N
Exploitability
AV:NAttack Vector
Network
AC:HAttack Complexity
High
PR:NPrivileges Required
None
UI:NUser Interaction
None
Scope
S:UScope
Unchanged
Impact
C:LConfidentiality
Low
I:LIntegrity
Low
A:NAvailability
None
Open in CVSS calculator →

Weaknesses

CWE-140NVD-CWE-Other

Affected Products

syntax-checkfish-shop
fish-shop/syntax-checkGitHub Actions
SaaS
DevTools & CI / ci-cd
github actionscommercialUSDevTools & CIaka github actions

Exploitability

Official Patch Available

References

https://github.com/fish-shop/syntax-check/commit/91e6817c48ad475542fe4e78139029b036a53b03
github.com
https://github.com/fish-shop/syntax-check/commit/c2cb11395e21119ff8d6e7ea050430ee7d6f49ca
github.com
https://github.com/fish-shop/syntax-check/security/advisories/GHSA-xj87-mqvh-88w2
github.com
and 2 more references View all →

Timeline

Published
Aug 12, 2024
Last Updated
Sep 17, 2024

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2024-42482 and every CVE in our database. Create a free account — no credit card required.

Create Free Account
Plain-language analysis
Impact assessment and exploitation scenario in plain English
Attack graph visualization
Interactive attack path and kill chain mapping
Exploit details & PoC links
ExploitDB, Metasploit, GitHub PoCs with direct links
Nuclei scanner templates
Ready-to-use vulnerability scanner templates
Full remediation guide
Patch instructions, workarounds, and compliance impact
Interactive AI chat
Ask questions about this vulnerability in natural language
Related vulnerabilities
Semantically similar CVEs and attack patterns
REST API & MCP access
Integrate vulnerability data into your workflows