CVE-2021-23359

Опубликовано: 18 мар. 2021

Источник: nvd

CVSS3: 7.5

CVSS3: 8.8

CVSS2: 6.5

EPSS Низкий

Описание

This affects all versions of package port-killer. If (attacker-controlled) user input is given, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization. Running this PoC will cause the command touch success to be executed, leading to the creation of a file called success.

Ссылки

https://github.com/tylerjpeterson/port-killer/blob/1ca3a99ad80cc9ed5498d12b185189c10329025b/index.js%23L19
Broken Link
https://snyk.io/vuln/SNYK-JS-PORTKILLER-1078533
Exploit
Third Party Advisory
https://github.com/tylerjpeterson/port-killer/blob/1ca3a99ad80cc9ed5498d12b185189c10329025b/index.js%23L19
Broken Link
https://snyk.io/vuln/SNYK-JS-PORTKILLER-1078533
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:port-killer_project:port-killer:*:*:*:*:*:node.js:*:*

EPSS

Процентиль: 59%

0.0038

Низкий

7.5 High

CVSS3

8.8 High

CVSS3

6.5 Medium

CVSS2

Дефекты

CWE-78

Связанные уязвимости

GHSA-2548-q746-x5x6

CVSS3: 7.5

github

больше 4 лет назад

Code injection in port-killer

EPSS

Процентиль: 59%

0.0038

Низкий

7.5 High

CVSS3

8.8 High

CVSS3

6.5 Medium

CVSS2

Дефекты

CWE-78