Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXhmeGYtcXcyNi1ocjMz
Arbitrary command execution in roar-pidusage
This affects all current versions of package roar-pidusage. If attacker-controlled user input is given to the stat function of this package on certain operating systems, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.
Permalink: https://github.com/advisories/GHSA-xfxf-qw26-hr33JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXhmeGYtcXcyNi1ocjMz
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 3 years ago
Updated: almost 2 years ago
CVSS Score: 5.6
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Identifiers: GHSA-xfxf-qw26-hr33, CVE-2021-23380
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-23380
- https://github.com/Svjard/pidusage/blob/772cd2bd675ff7b1244b6fe3d7541692b1b9e42c/lib/stats.js%23L103
- https://snyk.io/vuln/SNYK-JS-ROARPIDUSAGE-1078528
- https://github.com/advisories/GHSA-xfxf-qw26-hr33
Blast Radius: 1.7
Affected Packages
npm:roar-pidusage
Dependent packages: 2Dependent repositories: 2
Downloads: 15 last month
Affected Version Ranges: <= 1.1.7
No known fixed version
All affected versions: 1.1.4, 1.1.5, 1.1.6, 1.1.7