CVE-2021-3727

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2021-3727
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-3727.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-3727
Published
2021-11-30T10:15:08.940Z
Modified
2026-03-14T11:03:20.202130Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

Vulnerability in rand-quote and hitokoto plugins Description: the rand-quote and hitokoto fetch quotes from quotationspage.com and hitokoto.cn respectively, do some process on them and then use print -P to print them. If these quotes contained the proper symbols, they could trigger command injection. Given that they're an external API, it's not possible to know if the quotes are safe to use. Fixed in: 72928432. Impacted areas: - rand-quote plugin (quote function). - hitokoto plugin (hitokoto function).

References

Affected packages

Git / github.com/ohmyzsh/ohmyzsh

Affected ranges

Type
GIT
Repo
https://github.com/ohmyzsh/ohmyzsh
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
72928432
Type
GIT
Repo
https://github.com/ohmyzsh/ohmyzsh
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
72928432

Database specific

unresolved_ranges 
[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "fixed": "72928432"
            }
        ]
    }
]
source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-3727.json"