CVE-2021-23380

Опубликовано: 18 апр. 2021

Источник: nvd

CVSS3: 5.6

CVSS3: 7.3

CVSS2: 7.5

EPSS Низкий

Описание

This affects all versions of package roar-pidusage. If attacker-controlled user input is given to the stat function of this package on certain operating systems, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.

Ссылки

https://github.com/Svjard/pidusage/blob/772cd2bd675ff7b1244b6fe3d7541692b1b9e42c/lib/stats.js%23L103
Broken Link
https://snyk.io/vuln/SNYK-JS-ROARPIDUSAGE-1078528
Exploit
Third Party Advisory
https://github.com/Svjard/pidusage/blob/772cd2bd675ff7b1244b6fe3d7541692b1b9e42c/lib/stats.js%23L103
Broken Link
https://snyk.io/vuln/SNYK-JS-ROARPIDUSAGE-1078528
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:roar-pidusage_project:roar-pidusage:*:*:*:*:*:node.js:*:*

EPSS

Процентиль: 65%

0.00496

Низкий

5.6 Medium

CVSS3

7.3 High

CVSS3

7.5 High

CVSS2

Дефекты

CWE-78

Связанные уязвимости

GHSA-xfxf-qw26-hr33

CVSS3: 5.6

github

почти 5 лет назад

Arbitrary command execution in roar-pidusage

EPSS

Процентиль: 65%

0.00496

Низкий

5.6 Medium

CVSS3

7.3 High

CVSS3

7.5 High

CVSS2

Дефекты

CWE-78