CVE-2021-36753 – CVE-2021-36753 is a path traversal vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2021-36753?

CVE-2021-36753 has a CVSS score of 7.8 (HIGH). CVE-2021-36753 is a path traversal vulnerability in sharkdp's BAT syntax highlighter where the application executes less.exe from the current working directory instead of the system PATH. This allows attackers to execute arbitrary code by placing a malicious less.exe file in a directory that a user then runs BAT from. All users of BAT versions before 0.18.2 are affected.

📋 TL;DR

CVE-2021-36753 is a path traversal vulnerability in sharkdp's BAT syntax highlighter where the application executes less.exe from the current working directory instead of the system PATH. This allows attackers to execute arbitrary code by placing a malicious less.exe file in a directory that a user then runs BAT from. All users of BAT versions before 0.18.2 are affected.

💻 Affected Systems

Products:

sharkdp BAT

Versions: All versions before 0.18.2

Operating Systems: Windows, Linux, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists when BAT is configured to use less as the pager (default behavior). The issue affects all platforms where BAT is installed.

📦 What is this software?

Bat by Bat Project

View all CVEs affecting Bat →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise via arbitrary code execution with the privileges of the user running BAT, potentially leading to data theft, ransomware deployment, or lateral movement.

🟠

Likely Case

Local privilege escalation or arbitrary code execution when users run BAT from untrusted directories containing malicious less.exe files.

🟢

If Mitigated

Limited impact if users only run BAT from trusted directories and have proper file permissions restricting write access to those directories.

🌐 Internet-Facing: LOW - This is primarily a local execution vulnerability requiring user interaction with untrusted directories.

🏢 Internal Only: MEDIUM - Internal users could be tricked into running BAT from malicious directories, especially in shared environments or with phishing attacks.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires the attacker to place a malicious less.exe in a directory and convince the user to run BAT from that directory. Public proof-of-concept exists in the advisory references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.18.2 and later

Vendor Advisory: https://github.com/sharkdp/bat/releases/tag/v0.18.2

Restart Required: No

Instructions:

1. Update BAT using your package manager (apt, yum, brew, etc.) 2. Or download and install version 0.18.2+ from GitHub releases 3. Verify the update with 'bat --version'

🔧 Temporary Workarounds

Disable less pager

all

Configure BAT to not use less as the pager, preventing the vulnerable code path

export BAT_PAGER=""

Use absolute PATH for less

linux

Ensure less is only executed from system PATH by modifying environment

export PATH="/usr/bin:$PATH"

🧯 If You Can't Patch

Restrict user permissions to prevent writing executable files to directories where BAT might be run
Educate users to never run BAT from untrusted or shared directories

🔍 How to Verify

Check if Vulnerable:

Run 'bat --version' and check if version is below 0.18.2

Check Version:

bat --version

Verify Fix Applied:

Run 'bat --version' and confirm version is 0.18.2 or higher

📡 Detection & Monitoring

Log Indicators:

Process execution of less.exe from non-standard directories
BAT process spawning unexpected child processes

Network Indicators:

Unusual outbound connections following BAT execution

SIEM Query:

Process Creation where (Image contains "less.exe" and ParentImage contains "bat.exe") OR (CommandLine contains "less" and ParentImage contains "bat")

📊 Metadata

CVE ID: CVE-2021-36753

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-427

Published: July 15, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/sharkdp/bat/commit/bf2b2df9c9e218e35e5a38ce3d03cffb7c363956 Patch,Third Party Advisory
https://github.com/sharkdp/bat/pull/1724 Patch,Third Party Advisory
https://github.com/sharkdp/bat/releases/tag/v0.18.2 Release Notes,Third Party Advisory
https://vuln.ryotak.me/advisories/53 Third Party Advisory
https://github.com/sharkdp/bat/commit/bf2b2df9c9e218e35e5a38ce3d03cffb7c363956 Patch,Third Party Advisory
https://github.com/sharkdp/bat/pull/1724 Patch,Third Party Advisory
https://github.com/sharkdp/bat/releases/tag/v0.18.2 Release Notes,Third Party Advisory
https://vuln.ryotak.me/advisories/53 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-36753, you might also want to check these: