SCA: security update for shescape (GHSA-44vr-rwwj-p88h)

critical Tenable Self-Hosted Container Security Plugin ID 409944

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Shescape is a simple shell escape package for JavaScript. Affected versions were found to have
insufficient escaping of white space when interpolating output. This issue only impacts users that use the
`escape` or `escapeAll` functions with the `interpolation` option set to `true`. The result is that if an
attacker is able to include whitespace in their input they can: 1. Invoke shell-specific behaviour through
shell-specific special characters inserted directly after whitespace. 2. Invoke shell-specific behaviour
through shell-specific special characters inserted or appearing after line terminating characters. 3.
Invoke arbitrary commands by inserting a line feed character. 4. Invoke arbitrary commands by inserting a
carriage return character. Behaviour number 1 has been patched in [v1.5.7] which you can upgrade to now.
No further changes are required. Behaviour number 2, 3, and 4 have been patched in [v1.5.8] which you can
upgrade to now. No further changes are required. The best workaround is to avoid having to use the
`interpolation: true` option - in most cases using an alternative is possible, see [the
recipes](https://github.com/ericcornelissen/shescape#recipes) for recommendations. Alternatively, users
may strip all whitespace from user input. Note that this is error prone, for example: for PowerShell this
requires stripping `'\u0085'` which is not included in JavaScript's definition of `\s` for Regular
Expressions. (CVE-2022-31180)

See Also

https://github.com/advisories/GHSA-44vr-rwwj-p88h

Plugin Details

Severity: Critical

ID: 409944

Version: Revision 1.5

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 6/1/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.12

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2022-31180

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 7/15/2022

Vulnerability Publication Date: 7/15/2022

Reference Information

CVE: CVE-2022-31180

cwe: CWE-74