Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTlweDktZjdqdy1md2hq

Command Injection in priest-runner

All versions of priest-runner are vulnerable to Command Injection. The package fails to sanitize input and passes it directly to a spawn call, which may allow attackers to execute arbitrary code in the system. The PriestController.prototype.createChild function is vulnerable since the spawn parameters come from a POST request body.

Recommendation

No fix is currently available. Consider using an alternative package until a fix is made available.

Permalink: https://github.com/advisories/GHSA-9px9-f7jw-fwhj
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTlweDktZjdqdy1md2hq
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 3 years ago
Updated: over 1 year ago

Identifiers: GHSA-9px9-f7jw-fwhj
References:

Blast Radius: 1.0

Affected Packages

npm:priest-runner

Dependent packages: 2
Dependent repositories: 0
Downloads: 47 last month
Affected Version Ranges: >= 0.0.0
No known fixed version
All affected versions: 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.6, 0.0.7, 0.1.0, 0.1.1, 0.1.2, 0.1.4, 0.1.5, 0.1.8, 0.2.0, 0.3.2, 0.3.3, 0.3.4, 0.3.5, 0.3.7, 0.3.8, 0.3.11, 0.3.12