SCA: security update for shescape (GHSA-jjc5-fp7p-6f8w)

critical Tenable Self-Hosted Container Security Plugin ID 416418

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Shescape is a simple shell escape package for JavaScript. Versions prior to 1.5.8 were found to be subject
to code injection on windows. This impacts users that use Shescape (any API function) to escape arguments
for cmd.exe on Windows An attacker can omit all arguments following their input by including a line feed
character (`'\n'`) in the payload. This bug has been patched in [v1.5.8] which you can upgrade to now. No
further changes are required. Alternatively, line feed characters (`'\n'`) can be stripped out manually or
the user input can be made the last argument (this only limits the impact). (CVE-2022-31179)

See Also

https://github.com/advisories/GHSA-jjc5-fp7p-6f8w

Plugin Details

Severity: Critical

ID: 416418

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.15

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2022-31179

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 7/15/2022

Vulnerability Publication Date: 7/15/2022

Reference Information

CVE: CVE-2022-31179

cwe: CWE-74