Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWZjNDItaDdxNC1xcDho
Command Injection in killport
This affects the package killport before 1.0.2. If (attacker-controlled) user input is given, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization. Running this PoC will cause the command touch success to be executed, leading to the creation of a file called success.
Permalink: https://github.com/advisories/GHSA-fc42-h7q4-qp8hJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWZjNDItaDdxNC1xcDho
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: 8 months ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-fc42-h7q4-qp8h, CVE-2021-23360
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-23360
- https://github.com/ssnau/killport/commit/bec8e371f170a12e11cd222ffc7a6e1ae9942638
- https://github.com/ssnau/killport/blob/5268f23ea8f152e47182b263d8f7ef20c12a9f28/index.js%23L9
- https://snyk.io/vuln/SNYK-JS-KILLPORT-1078535
- https://github.com/advisories/GHSA-fc42-h7q4-qp8h
Affected Packages
npm:killport
Versions: < 1.0.2Fixed in: 1.0.2