CVE-2023-49284

Name of the Vulnerable Software and Affected Versions fish versions prior to 3.6.2

Description The fish shell uses certain Unicode non-characters internally for marking wildcards and expansions. However, it will incorrectly allow these markers to be read on command substitution output, rather than transforming them into a safe internal representation. This may cause unexpected behavior with direct input and potentially become a minor security problem if the output is being fed from an external program into a command substitution. Code execution does not appear to be possible, but denial of service or information disclosure is potentially possible under certain circumstances.

Recommendations For versions prior to 3.6.2, upgrade to fish shell 3.6.2 to correct this issue. As a temporary workaround, consider avoiding the use of command substitution with output from external programs until the issue is resolved. Restrict access to sensitive information and variables to minimize the risk of information disclosure.