CVE-2021-23360

Опубликовано: 21 мар. 2021

Источник: nvd

CVSS3: 7.5

CVSS3: 8.8

CVSS2: 6.5

EPSS Низкий

Описание

This affects the package killport before 1.0.2. If (attacker-controlled) user input is given, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization. Running this PoC will cause the command touch success to be executed, leading to the creation of a file called success.

Ссылки

https://github.com/ssnau/killport/blob/5268f23ea8f152e47182b263d8f7ef20c12a9f28/index.js%23L9
Broken Link
https://github.com/ssnau/killport/commit/bec8e371f170a12e11cd222ffc7a6e1ae9942638
Patch
Third Party Advisory
https://snyk.io/vuln/SNYK-JS-KILLPORT-1078535
Exploit
Patch
Third Party Advisory
https://github.com/ssnau/killport/blob/5268f23ea8f152e47182b263d8f7ef20c12a9f28/index.js%23L9
Broken Link
https://github.com/ssnau/killport/commit/bec8e371f170a12e11cd222ffc7a6e1ae9942638
Patch
Third Party Advisory
https://snyk.io/vuln/SNYK-JS-KILLPORT-1078535
Exploit
Patch
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:killport_project:killport:*:*:*:*:*:node.js:*:*

Версия до 1.0.2 (исключая)

EPSS

Процентиль: 73%

0.00759

Низкий

7.5 High

CVSS3

8.8 High

CVSS3

6.5 Medium

CVSS2

Дефекты

CWE-78

Связанные уязвимости

GHSA-fc42-h7q4-qp8h

CVSS3: 7.5

github

почти 5 лет назад

Command Injection in killport

EPSS

Процентиль: 73%

0.00759

Низкий

7.5 High

CVSS3

8.8 High

CVSS3

6.5 Medium

CVSS2

Дефекты

CWE-78