Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in github.com/mutagen-io/mutagen.
Advisories for Golang/Github.com/Mutagen-Io/Mutagen package
2023
Under-validated ComSpec and cmd.exe resolution in Mutagen projects
Impact Mutagen projects offer shell-based execution functionality. On Windows, the shell is resolved using the standard %ComSpec% mechanism, with a fallback to a %PATH%-based search for cmd.exe. While this is the standard practice on Windows systems, it presents somewhat risky behavior. Firstly, %ComSpec% could, in theory, be set maliciously. Unfortunately, there's not much that can be done to prevent this attack surface, because %ComSpec% is the official mechanism for shell …