CVE-2022-20001

Injection in fish

Description

fish is a command line shell. fish version 3.1.0 through version 3.3.1 is vulnerable to arbitrary code execution. git repositories can contain per-repository configuration that change the behavior of git, including running arbitrary commands. When using the default configuration of fish, changing to a directory automatically runs `git` commands in order to display information about the current repository in the prompt. If an attacker can convince a user to change their current directory into one controlled by the attacker, such as on a shared file system or extracted archive, fish will run arbitrary commands under the attacker's control. This problem has been fixed in fish 3.4.0. Note that running git in these directories, including using the git tab completion, remains a potential trigger for this issue. As a workaround, remove the `fish_git_prompt` function from the prompt.

Categories

7.8
CVSS
Severity: High
CVSS 3.1 •
CVSS 2.0 •
EPSS 0.47%
Vendor Advisory fedoraproject.org Vendor Advisory fedoraproject.org Vendor Advisory debian.org Vendor Advisory gentoo.org
Affected: fish-shell fish-shell
Published at:
Updated at:

References

Link Tags
https://github.com/fish-shell/fish-shell/security/advisories/GHSA-pj5f-6vxj-f5mq third party advisory
https://github.com/fish-shell/fish-shell/pull/8589 third party advisory patch
https://github.com/fish-shell/fish-shell/releases/tag/3.4.0 third party advisory release notes
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TRNMYS2LKB6TKOOBQQRSRQICDMWLZ4QL/ vendor advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BPZ7JV22DSZB5LNUCUEJ2HO3PKM2TVVK/ vendor advisory
https://www.debian.org/security/2022/dsa-5234 third party advisory vendor advisory
https://security.gentoo.org/glsa/202309-10 vendor advisory

Frequently Asked Questions

What is the severity of CVE-2022-20001?
CVE-2022-20001 has been scored as a high severity vulnerability.
How to fix CVE-2022-20001?
To fix CVE-2022-20001, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2022-20001 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2022-20001 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2022-20001?
CVE-2022-20001 affects fish-shell fish-shell.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.