CVE-2021-3727

OS Command Injection in ohmyzsh/ohmyzsh

CVSS 7.5 HIGHEPSS 1.0%CWE-78

# Vulnerability in `rand-quote` and `hitokoto` plugins **Description**: the `rand-quote` and `hitokoto` fetch quotes from quotationspage.com and hitokoto.cn respectively, do some process on them and then use `print -P` to print them. If these quotes contained the proper symbols, they could trigger command injection. Given that they're an external API, it's not possible to know if the quotes are safe to use. **Fixed in**: [72928432](https://github.com/ohmyzsh/ohmyzsh/commit/72928432). **Impacted areas**: - `rand-quote` plugin (`quote` function). - `hitokoto` plugin (`hitokoto` function).

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected products

ohmyzsh · ohmyzsh/ohmyzsh

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/ohmyzsh/ohmyzsh/commit/72928432