CVE-2023-40582: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

August 30, 2023 (updated September 5, 2023)

find-exec is a utility to discover available shell commands. Versions prior to 1.0.3 does not properly escape user input and is vulnerable to Command Injection via an attacker controlled parameter. As a result, attackers may run malicious shell commands in the context of the running process. This issue has been addressed in version 1.0.3. users are advised to upgrade. Users unable to upgrade should ensure that all input passed to find-exec comes from a trusted source.

References

github.com/advisories/GHSA-95rp-6gqp-6622
github.com/shime/find-exec/commit/74fb108097c229b03d6dba4cce81e36aa364b51c
github.com/shime/find-exec/security/advisories/GHSA-95rp-6gqp-6622
nvd.nist.gov/vuln/detail/CVE-2023-40582

Detect and mitigate CVE-2023-40582 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →