Details
-
Dependency upgrade
-
Status: Closed
-
Minor
-
Resolution: Fixed
-
None
-
None
Description
Affected versions of this package are vulnerable to Command Injection. The Commandline class can emit double-quoted strings without proper escaping, allowing shell injection attacks. The BourneShell class should unconditionally single-quote emitted strings (including the name of the command itself being quoted), with {{'"'"'}} used for embedded single quotes, for maximum safety across shells implementing a superset of POSIX quoting rules.
This is a similar issue to SNYK-JAVA-ORGCODEHAUSPLEXUS-31522