Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTYzbTQtZmhmMi1jbWY3

Critical EPSS: 0.03342% (0.86756 Percentile) EPSS:
Permalink JSON

Command Execution in windows-cpu

Affected Packages Affected Versions Fixed Versions
npm:windows-cpu
PURL: pkg:npm/windows-cpu
< 0.1.5 0.1.5
12 Dependent packages
19 Dependent repositories
4,479 Downloads last month

Affected Version Ranges

All affected versions

0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4

All unaffected versions

0.1.5, 0.1.6, 1.0.0, 1.0.1, 1.1.0

Version of windows-cpu before 0.1.5 will execute arbitrary code passed into the first argument of the findLoad method, resulting in remote code execution.

Proof of Concept

var win = require('windows-cpu');
wind.findLoad('foo & calc.exe');

Recommendation

Update to version 0.1.5 or later.

References:

Identifiers

GHSA-63m4-fhf2-cmf7

CVE-2017-1000219

Risk

Severity

Critical

EPSS

EPSS Percentage: 0.03342

EPSS Percentile: 0.86756

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/KyleRoss/windows-cpu

Date and time

Published

about 5 years ago

Updated

about 2 years ago

API

JSON