Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTlweDktZjdqdy1md2hq
Command Injection in priest-runner
All versions of priest-runner
are vulnerable to Command Injection. The package fails to sanitize input and passes it directly to a spawn
call, which may allow attackers to execute arbitrary code in the system. The PriestController.prototype.createChild
function is vulnerable since the spawn
parameters come from a POST request body.
Recommendation
No fix is currently available. Consider using an alternative package until a fix is made available.
Permalink: https://github.com/advisories/GHSA-9px9-f7jw-fwhjJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTlweDktZjdqdy1md2hq
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 3 years ago
Updated: over 1 year ago
Identifiers: GHSA-9px9-f7jw-fwhj
References: Blast Radius: 1.0
Affected Packages
npm:priest-runner
Dependent packages: 2Dependent repositories: 0
Downloads: 47 last month
Affected Version Ranges: >= 0.0.0
No known fixed version
All affected versions: 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.6, 0.0.7, 0.1.0, 0.1.1, 0.1.2, 0.1.4, 0.1.5, 0.1.8, 0.2.0, 0.3.2, 0.3.3, 0.3.4, 0.3.5, 0.3.7, 0.3.8, 0.3.11, 0.3.12