Описание
Command Injection in pidusage
Affected versions of pidusage pass unsanitized input to child_process.exec(), resulting in arbitrary code execution in the ps method.
This package is vulnerable to this PoC on Darwin, SunOS, FreeBSD, and AIX.
Windows and Linux are not vulnerable.
Proof of Concept
var pid = require('pidusage');
pid.stat('1 && /usr/local/bin/python');
Recommendation
Update to version 1.1.5 or later.
Пакеты
Наименование
pidusage
npm
Затронутые версииВерсия исправления
<= 1.1.4
1.1.5
CVE ID
Дефекты
CWE-77
Связанные уязвимости
CVE ID
Дефекты
CWE-77