This affects all versions of package ps-kill. If (attacker-controlled) user input is given to the kill function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization in the index.js file. PoC (provided by reporter): var ps_kill = require('ps-kill'); ps_kill.kill('$(touch success)',function(){});
Metrics
Affected Vendors & Products
References
Link | Providers |
---|---|
https://snyk.io/vuln/SNYK-JS-PSKILL-1078529 |
History
No history.
MITRE
Status: PUBLISHED
Assigner: snyk
Published: 2021-03-15T16:40:22.069889Z
Updated: 2024-09-16T17:54:07.343Z
Reserved: 2021-01-08T00:00:00
Link: CVE-2021-23355
Vulnrichment
No data.
NVD
Status : Modified
Published: 2021-03-15T17:15:21.410
Modified: 2024-11-21T05:51:33.860
Link: CVE-2021-23355
Redhat
No data.