Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWhmcTktcmZwdi1qOHI4
Command Injection in pidusage
Affected versions of pidusage pass unsanitized input to child_process.exec(), resulting in arbitrary code execution in the ps method.
This package is vulnerable to this PoC on Darwin, SunOS, FreeBSD, and AIX.
Windows and Linux are not vulnerable.
Proof of Concept
var pid = require('pidusage');
pid.stat('1 && /usr/local/bin/python');
Recommendation
Update to version 1.1.5 or later.
Permalink: https://github.com/advisories/GHSA-hfq9-rfpv-j8r8JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWhmcTktcmZwdi1qOHI4
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 4 years ago
Updated: about 2 years ago
Identifiers: GHSA-hfq9-rfpv-j8r8, CVE-2017-16034
References:
- https://www.npmjs.com/advisories/356
- https://nvd.nist.gov/vuln/detail/CVE-2017-16034
- https://github.com/advisories/GHSA-hfq9-rfpv-j8r8
Affected Packages
npm:pidusage
Dependent packages: 340Dependent repositories: 28,809
Downloads: 11,496,929 last month
Affected Version Ranges: <= 1.1.4
Fixed in: 1.1.5
All affected versions: 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.6, 0.0.7, 0.1.0, 0.1.1, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4
All unaffected versions: 1.1.5, 1.1.6, 1.2.0, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.0.10, 2.0.11, 2.0.12, 2.0.13, 2.0.15, 2.0.16, 2.0.17, 2.0.18, 2.0.19, 2.0.20, 2.0.21, 3.0.0, 3.0.1, 3.0.2