Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1oMnAzLWg0OGgtOWpqN84AAR2Q
PIDUsage Enables OS Command Injection
Overview
Affected versions of pidusage pass unsanitized input to child_process.exec()
, resulting in arbitrary code execution in the ps
method.
This package is vulnerable to this PoC on Darwin, SunOS, FreeBSD, and AIX.
Windows and Linux are not vulnerable.
Proof of Concept
var pid = require('pidusage');
pid.stat('1 && /usr/local/bin/python');
Remediation
Update to version 1.1.5 or later.
Permalink: https://github.com/advisories/GHSA-h2p3-h48h-9jj7JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1oMnAzLWg0OGgtOWpqN84AAR2Q
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 2 years ago
Updated: 5 months ago
CVSS Score: 9.8
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-h2p3-h48h-9jj7, CVE-2017-1000220
References:
- https://nvd.nist.gov/vuln/detail/CVE-2017-1000220
- https://web.archive.org/web/20201208183910/https://www.npmjs.com/advisories/356
- https://github.com/advisories/GHSA-h2p3-h48h-9jj7
Affected Packages
npm:pidusage
Dependent packages: 340Dependent repositories: 28,809
Downloads: 11,442,055 last month
Affected Version Ranges: <= 1.1.4
No known fixed version
All affected versions: 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.6, 0.0.7, 0.1.0, 0.1.1, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4