fish is a smart and user-friendly command line shell for macOS, Linux, and the rest of the family. fish shell uses certain Unicode non-characters internally for marking wildcards and expansions. It will incorrectly allow these markers to be read on command substitution output, rather than transforming them into a safe internal representation. While this may cause unexpected behavior with direct input (for example, echo \UFDD2HOME has the same output as echo $HOME), this may become a minor security problem if the output is being fed from an external program into a command substitution where this output may not be expected. This design flaw was introduced in very early versions of fish, predating the version control system, and is thought to be present in every version of fish released in the last 15 years or more, although with different characters. Code execution does not appear to be possible, but denial of service (through large brace expansion) or information disclosure (such as variable expansion) is potentially possible under certain circumstances. fish shell 3.6.2 has been released to correct this issue. Users are advised to upgrade. There are no known workarounds for this vulnerability.
総合評価: CVE-2023-49284 は公開エクスプロイトあり(50/100)。CVSS 深刻度は低。悪用される可能性が高い(EPSS 0.47%、37 パーセンタイル) 根拠: 公開エクスプロイトが 1 件参照されています(Exploit-DB)。 推奨対応: 公開エクスプロイトが確認されています。影響範囲の確認、緩和策の適用、パッチ適用を優先してください。
リスクは変動します。再評価に基づき、本ページの表示内容を更新しています。
| EDB-ID | ソース | 種別 | 公開 | リンク |
|---|---|---|---|---|
| — | nvd_ref | exploit_tag | Exploit-DB ↗ |
EPSS は日次で悪用されやすさの相対度合いを推定します。パーセンタイルは採点済み CVE の中での相対位置(高いほど相対的に深刻)を示します。
| # | 日付 | 旧 EPSS スコア | 新 EPSS スコア | Δ(新 − 旧) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.06% | 0.47% | +0.42% |
| 2 | 2025-03-17 | 0.04% | 0.06% | +0.01% |
| 3 | 2023-12-05 | — | 0.04% | — |
EPSS の全履歴 (全 3 件)
この CVE の CVSS 指標。
| ベーススコア | バージョン | 深刻度 | ベクトル | 悪用しやすさ | 影響 | スコアの出典 |
|---|---|---|---|---|---|---|
| 3.9 | 3.1 | LOW |
|
1.3 | 2.5 | [email protected] |
| 6.6 | 3.1 | MEDIUM |
|
1.3 | 5.2 | [email protected] |
| vendor | priority | summary | link |
|---|---|---|---|
alpine
|
— | CVE-2023-49284: 1 source package rows (fish); 7 state rows across 7 repos (3.17-main, 3.18-main, 3.19-main, 3.20-main, 3.21-main, 3.22-main, edge-main); fixed 0, open 7. | https://security.alpinelinux.org/vuln/CVE-2023-49284 |
debian
|
not yet assigned | CVE-2023-49284 not yet assigned priority: Debian including 1 source packages (fish), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 4, open 1. | https://security-tracker.debian.org/tracker/CVE-2023-49284 |
suse
|
medium | CVE-2023-49284 severity moderate: SUSE including 8 source package names (fish-3.3.1-bp154.3.3.1, fish-3.3.1-bp155.4.3.1, …), 12 product×package rows across 6 product lines (SUSE Linux Enterprise Server 16.0, SUSE Package Hub 15 SP4, … (6 product lines)): Fixed 12. | https://www.suse.com/security/cve/CVE-2023-49284/ |
ubuntu
|
medium | CVE-2023-49284 medium priority: Ubuntu including 1 source packages (fish), 12 status rows across 12 suites (bionic, focal, jammy, lunar, mantic, noble, oracular, plucky, questing, trusty, upstream, xenial): needs-triage 7, ignored 5. | https://ubuntu.com/security/CVE-2023-49284 |