This affects the package portprocesses before 1.0.5. If (attacker-controlled) user input is given to the killProcess function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.
References
Link | Resource |
---|---|
https://github.com/rrainn/PortProcesses/blob/fffceb09aff7180afbd0bd172e820404b33c8299/index.js%23L23 | Broken Link |
https://github.com/rrainn/PortProcesses/commit/86811216c9b97b01b5722f879f8c88a7aa4214e1 | Patch Third Party Advisory |
https://github.com/rrainn/PortProcesses/security/advisories/GHSA-vm67-7vmg-66vm | Exploit Third Party Advisory |
https://snyk.io/vuln/SNYK-JS-PORTPROCESSES-1078536 | Exploit Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: snyk
Published: 2021-03-31T00:00:00
Updated: 2021-03-31T14:25:17
Reserved: 2021-01-08T00:00:00
Link: CVE-2021-23348
JSON object: View
NVD Information
Status : Analyzed
Published: 2021-03-31T15:15:15.543
Modified: 2022-06-28T14:11:45.273
Link: CVE-2021-23348
JSON object: View
Redhat Information
No data.
CWE