CVE-2021-3727 Information

Description

Vulnerability in rand-quote and hitokoto plugins Description: the rand-quote and hitokoto fetch quotes from quotationspage.com and hitokoto.cn respectively do some process on them and then use print -P to print them. If these quotes contained the proper symbols they could trigger command injection. Given that they’re an external API it’s not possible to know if the quotes are safe to use. Fixed in: 72928432. Impacted areas: - rand-quote plugin (quote function). - hitokoto plugin (hitokoto function).

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Reference

https://github.com/ohmyzsh/ohmyzsh/commit/72928432

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

9.8