CVE-2021-41088

Source
https://nvd.nist.gov/vuln/detail/CVE-2021-41088
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-41088.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2021-41088
Aliases
Related
Published
2021-09-23T20:15:07Z
Modified
2024-10-12T08:26:51.023124Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

Elvish is a programming language and interactive shell, combined into one package. In versions prior to 0.14.0 Elvish's web UI backend (started by elvish -web) hosts an endpoint that allows executing the code sent from the web UI. The backend does not check the origin of requests correctly. As a result, if the user has the web UI backend open and visits a compromised or malicious website, the website can send arbitrary code to the endpoint in localhost. All Elvish releases from 0.14.0 onward no longer include the the web UI, although it is still possible for the user to build a version from source that includes the web UI. The issue can be patched for previous versions by removing the web UI (found in web, pkg/web or pkg/prog/web, depending on the exact version).

References

Affected packages

Debian:11 / elvish

Package

Name
elvish
Purl
pkg:deb/debian/elvish?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.14.0-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / elvish

Package

Name
elvish
Purl
pkg:deb/debian/elvish?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.14.0-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / elvish

Package

Name
elvish
Purl
pkg:deb/debian/elvish?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.14.0-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/elves/elvish

Affected ranges

Type
GIT
Repo
https://github.com/elves/elvish
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

0.*

0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8

v0.*

v0.1
v0.1.0
v0.10
v0.10.0
v0.10.1
v0.11
v0.11-rc1
v0.11-rc2
v0.11.0
v0.12
v0.12-rc1
v0.12-rc2
v0.12.0
v0.13
v0.13-rc1
v0.13-rc2
v0.13-rc3
v0.13-rc4
v0.13-rc5
v0.13.0
v0.14.0
v0.14.0-rc1
v0.16.0-rc1
v0.2
v0.2.0
v0.3
v0.3.0
v0.4
v0.4.0
v0.5
v0.5.0
v0.6
v0.6.0
v0.7
v0.7.0
v0.8
v0.8.0
v0.9
v0.9.0