dye Color Library Arbitrary Code Execution Vulnerability
Vulnerability
A code injection vulnerability has been identified in the dye color library for shell scripts, specifically in version 1.1.0 prior to 1.1.1. The issue arises from certain dye template expressions that, when processed, execute arbitrary code. This vulnerability was discovered and fixed by the author of dye.
Impact
Exploitation of this vulnerability allows for arbitrary code execution on the system where the affected version of dye is used.
Reproduction
The vulnerability can be reproduced by creating a file with a name that includes a command injection payload, such as a command to create a file. When this file name is processed by a dye template expression, the embedded command is executed as if it were a native dye command. This can be verified by checking for the presence of the created file after the dye command is executed.
Remediation
Users are advised to update to dye version 1.1.1, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.