关键信息总结 CVE: CVE-2021-3934 Published Vulnerability Type: CWE-78: OS Command Injection Severity: High (7.8) - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Confidentiality: High - Integrity: High - Availability: High Affected Software: Oh My Zsh, a popular shell framework. Impact: The function, when combined with user-controlled input and the command, allows an attacker to execute arbitrary commands. This could lead to remote code execution depending on the theme or plugin configuration. Status: Fixed Discovery & Patch: Diclosure Bounty: $750 Fix Bounty: $187.5 Vulnerability found and reported by Ryotak (@ryotak), a community member. Confirmed and addressed by the Oh My Zsh maintainers, including contributions from Marc Cornella and Robby Russell. Fix Implementation: The fix involved updating the function to sanitize user input properly and avoid the direct usage of with unsanitized inputs. The fix was rolled out, and maintainers ensured a small window between the fix and public disclosure to minimize exposure. Timeline: Reported on Nov 2, 2021. CVE and patch published by November 18, 2021. Additional Vulnerabilities Discovered: Vulnerabilities in branch name output to the prompt. Vulnerabilities in title setting and plugins related to output from websites. A vulnerability in a plugin that uses with directory names. Conclusions: Reported vulnerabilities highlight the risks of unsanitized user input in shell scripts. The patch focuses on preventing command injection by implementing stricter input sanitization. The community response showcases the importance of transparency and collaboration in addressing security issues.