CVE-2021-23355

Severity CVSS v4.0:
Pending analysis
Type:
CWE-78 OS Command Injections
Publication date:
15/03/2021
Last modified:
28/06/2022

Description

This affects all versions of package ps-kill. If (attacker-controlled) user input is given to the kill function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization in the index.js file. PoC (provided by reporter): var ps_kill = require('ps-kill'); ps_kill.kill('$(touch success)',function(){});

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:ps-kill_project:ps-kill:*:*:*:*:*:node.js:*:*


References to Advisories, Solutions, and Tools