CVE-2022-0144 – CVE-2022-0144 is a privilege management vulnera... (How to Fix)

Q: What is the severity of CVE-2022-0144?

CVE-2022-0144 has a CVSS score of 7.1 (HIGH). CVE-2022-0144 is a privilege management vulnerability in shelljs where the 'exec' function could be tricked into executing commands with elevated privileges when called with specific arguments. This affects any application using vulnerable versions of shelljs, particularly Node.js applications that rely on shelljs for shell command execution. Attackers could potentially execute arbitrary commands with higher privileges than intended.

📋 TL;DR

CVE-2022-0144 is a privilege management vulnerability in shelljs where the 'exec' function could be tricked into executing commands with elevated privileges when called with specific arguments. This affects any application using vulnerable versions of shelljs, particularly Node.js applications that rely on shelljs for shell command execution. Attackers could potentially execute arbitrary commands with higher privileges than intended.

💻 Affected Systems

Products:

shelljs

Versions: shelljs versions before 0.8.5

Operating Systems: All operating systems where shelljs runs (Linux, Windows, macOS)

Default Config Vulnerable: ⚠️ Yes

Notes: Any Node.js application using shelljs's exec function with user-controlled input is vulnerable. The vulnerability is in the library itself, not dependent on specific OS configurations.

📦 What is this software?

Shelljs by Shelljs Project

View all CVEs affecting Shelljs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with elevated privileges leading to complete system compromise, data exfiltration, or lateral movement within the network.

🟠

Likely Case

Local privilege escalation allowing attackers to execute commands with higher permissions than their current user context, potentially leading to unauthorized access to sensitive resources.

🟢

If Mitigated

Limited impact due to proper input validation, least privilege principles, and network segmentation preventing command execution.

🌐 Internet-Facing: MEDIUM - While the vulnerability requires some level of access to trigger, internet-facing applications using shelljs could be exploited if attackers find injection points.

🏢 Internal Only: MEDIUM - Internal applications and tools using shelljs could be exploited by authenticated users or through other vulnerabilities to escalate privileges.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires the ability to control arguments passed to shelljs exec function. Proof-of-concept code is publicly available in the commit references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: shelljs 0.8.5 and later

Vendor Advisory: https://github.com/shelljs/shelljs/commit/d919d22dd6de385edaa9d90313075a77f74b338c

Restart Required: No

Instructions:

1. Update shelljs dependency to version 0.8.5 or later. 2. Run 'npm update shelljs' or 'yarn upgrade shelljs'. 3. Test your application to ensure compatibility with the updated version. 4. Rebuild and redeploy if using bundled dependencies.

🔧 Temporary Workarounds

Input validation and sanitization

all

Implement strict input validation for any user-controlled data passed to shelljs exec function

Use alternative execution methods

all

Replace shelljs exec with Node.js child_process module with explicit argument handling

// Example: Use child_process.spawn instead
const { spawn } = require('child_process');
const ls = spawn('ls', ['-lh', '/usr']);

🧯 If You Can't Patch

Implement strict input validation and sanitization for all user inputs passed to shelljs functions
Run applications with minimal necessary privileges and implement principle of least privilege

🔍 How to Verify

Check if Vulnerable:

Check package.json or run 'npm list shelljs' to see installed version. If version is below 0.8.5, you are vulnerable.

Check Version:

npm list shelljs | grep shelljs

Verify Fix Applied:

After updating, verify shelljs version is 0.8.5 or higher using 'npm list shelljs' or check package-lock.json.

📡 Detection & Monitoring

Log Indicators:

Unexpected shell command execution with elevated privileges
Anomalous process creation from Node.js applications
Failed privilege escalation attempts in system logs

Network Indicators:

Unusual outbound connections from Node.js processes
Command and control traffic from applications using shelljs

SIEM Query:

process.name: "node" AND process.args: "shelljs" AND process.integrity_level: "high"

📊 Metadata

CVE ID: CVE-2022-0144

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

CWE: CWE-269

Published: January 11, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/shelljs/shelljs/commit/d919d22dd6de385edaa9d90313075a77f74b338c Patch,Third Party Advisory
https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c Exploit,Patch,Third Party Advisory
https://github.com/shelljs/shelljs/commit/d919d22dd6de385edaa9d90313075a77f74b338c Patch,Third Party Advisory
https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c Exploit,Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-0144, you might also want to check these: