{
  "threat_severity" : "Moderate",
  "public_date" : "2021-12-26T00:00:00Z",
  "bugzilla" : {
    "description" : "nodejs-shelljs: improper privilege management",
    "id" : "2043535",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2043535"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.1",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
    "status" : "verified"
  },
  "details" : [ "shelljs is vulnerable to Improper Privilege Management", "A flaw was found in the ShellJS library when the scripts used the exec function. Local users on the filesystem could take advantage of this as they can read the stdout of the ShellJS process. This issue discloses sensitive information, leading to privilege escalation. This flaw allows an attacker to craft stdout files, which leads to crashing the ShellJS scripts running with privileges." ],
  "statement" : "In Red Hat Virtualization, ShellJSis a development dependency of ovirt-engine-ui-extensions and ovirt-web-ui. Vulnerable ShellJS code is not shipped with the product.",
  "package_state" : [ {
    "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2",
    "fix_state" : "Affected",
    "package_name" : "rhacm2/console-rhel8",
    "cpe" : "cpe:/a:redhat:acm:2"
  }, {
    "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2",
    "fix_state" : "Will not fix",
    "package_name" : "rhacm2/kui-web-terminal-rhel8",
    "cpe" : "cpe:/a:redhat:acm:2"
  }, {
    "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2",
    "fix_state" : "Affected",
    "package_name" : "rhacm2/search-ui-rhel8",
    "cpe" : "cpe:/a:redhat:acm:2"
  }, {
    "product_name" : "Red Hat Virtualization 4",
    "fix_state" : "Not affected",
    "package_name" : "ovirt-engine-ui-extensions",
    "cpe" : "cpe:/o:redhat:rhev_hypervisor:4"
  }, {
    "product_name" : "Red Hat Virtualization 4",
    "fix_state" : "Not affected",
    "package_name" : "ovirt-web-ui",
    "cpe" : "cpe:/o:redhat:rhev_hypervisor:4"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-0144\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-0144\nhttps://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c/" ],
  "name" : "CVE-2022-0144",
  "csaw" : false
}