CVE-2022-20001 is a vulnerability in the fish-shell command line shell, specifically affecting versions 3.1.0 through 3.3.1. The vulnerability arises from improper neutralization of special elements in output used by a downstream component, classified under CWE-74 (Injection). Fish-shell integrates with git repositories to enhance the command prompt by automatically running git commands when the user changes directories. This feature, enabled by default, executes git commands to display repository information in the prompt. However, git repositories can contain per-repository configuration files that modify git's behavior, including the execution of arbitrary commands. If an attacker can trick a user into changing their working directory to a location controlled by the attacker—such as a shared network file system or an extracted archive—the fish shell will execute arbitrary commands embedded in the git configuration. This leads to arbitrary code execution under the context of the user running fish. The vulnerability is triggered not only by changing directories but also by running git commands or using git tab completion in affected directories. The issue was resolved in fish-shell version 3.4.0. As a mitigation, users can remove the `fish_git_prompt` function from their prompt configuration to prevent automatic git command execution. There are no known exploits in the wild reported to date. The vulnerability does not require elevated privileges but does require user interaction in the form of changing directories or running git commands within a malicious repository. This vulnerability impacts confidentiality, integrity, and availability by enabling arbitrary code execution, potentially allowing attackers to execute malicious payloads, steal data, or disrupt system operations.

For European organizations, the impact of CVE-2022-20001 can be significant, especially in environments where fish-shell is used as the default or preferred shell by developers, system administrators, or DevOps teams. The arbitrary code execution risk can lead to unauthorized access, data exfiltration, or system compromise. Organizations relying on shared file systems or frequently exchanging archives containing git repositories are particularly vulnerable, as attackers could embed malicious git configurations to exploit this flaw. The threat is more pronounced in development, CI/CD pipelines, and cloud environments where git and fish-shell are commonly used together. While no widespread exploitation has been reported, the vulnerability could be leveraged in targeted attacks against European entities with sensitive intellectual property or critical infrastructure. The impact on availability could manifest through malware deployment or ransomware attacks initiated via this vector. Confidentiality and integrity risks arise from the potential for attackers to execute arbitrary commands, modify files, or escalate privileges within compromised systems.

To mitigate CVE-2022-20001, European organizations should: 1) Upgrade fish-shell to version 3.4.0 or later, where the vulnerability is fixed. 2) If immediate upgrade is not feasible, remove or disable the `fish_git_prompt` function from the fish prompt configuration to prevent automatic execution of git commands when changing directories. 3) Educate users to avoid changing directories into untrusted or unknown git repositories, especially those obtained from shared file systems or unverified archives. 4) Implement strict access controls and monitoring on shared file systems to prevent attackers from placing malicious repositories. 5) Employ endpoint detection and response (EDR) solutions to monitor for suspicious shell command executions and anomalous git activity. 6) Review and restrict the use of git tab completion in fish-shell environments until patched. 7) Integrate security scanning of git repositories and configuration files before use in production or shared environments. These steps go beyond generic advice by focusing on configuration changes, user behavior, and environment hardening specific to the fish-shell and git interaction.