CVE-2024-41815

low-risk
Published 2024-07-26

Starship is a cross-shell prompt. Starting in version 1.0.0 and prior to version 1.20.0, undocumented and unpredictable shell expansion and/or quoting rules make it easily to accidentally cause shell injection when using custom commands with starship in bash. This issue only affects users with custom commands, so the scope is limited, and without knowledge of others' commands, it could be hard to successfully target someone. Version 1.20.0 fixes the vulnerability.

Do I need to act?

-
0.30% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.4/10 High
LOCAL / HIGH complexity

Affected Products (1)

Starship

Affected Vendors

Starship

References (6)

Patch https://github.com/starship/starship/commit/cfc58161e0ec595db90af686ad77a73df6d4...
Release Notes https://github.com/starship/starship/releases/tag/v1.20.0
Exploit https://github.com/starship/starship/security/advisories/GHSA-vx24-x4mv-vwr5
Patch https://github.com/starship/starship/commit/cfc58161e0ec595db90af686ad77a73df6d4...
Release Notes https://github.com/starship/starship/releases/tag/v1.20.0
Exploit https://github.com/starship/starship/security/advisories/GHSA-vx24-x4mv-vwr5
25
/ 100
low-risk
Severity 19/34 · Moderate
Exploitability 1/34 · Minimal
Exposure 5/34 · Minimal