CVE-2021-23355
Severity CVSS v4.0:
Pending analysis
Type:
CWE-78
OS Command Injections
Publication date:
15/03/2021
Last modified:
28/06/2022
Description
This affects all versions of package ps-kill. If (attacker-controlled) user input is given to the kill function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization in the index.js file. PoC (provided by reporter): var ps_kill = require('ps-kill'); ps_kill.kill('$(touch success)',function(){});
Impact
Base Score 3.x
9.80
Severity 3.x
CRITICAL
Base Score 2.0
7.50
Severity 2.0
HIGH
Vulnerable products and versions
CPE | From | Up to |
---|---|---|
cpe:2.3:a:ps-kill_project:ps-kill:*:*:*:*:*:node.js:*:* |
To consult the complete list of CPE names with products and versions, see this page