GHSA-h2p3-h48h-9jj7

Source

https://github.com/advisories/GHSA-h2p3-h48h-9jj7

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-h2p3-h48h-9jj7/GHSA-h2p3-h48h-9jj7.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-h2p3-h48h-9jj7

Aliases

CVE-2017-1000220

Published

2022-05-13T01:41:00Z

Modified

2024-10-16T16:50:14Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

PIDUsage Enables OS Command Injection

Details

Overview

Affected versions of pidusage pass unsanitized input to child_process.exec(), resulting in arbitrary code execution in the ps method.

This package is vulnerable to this PoC on Darwin, SunOS, FreeBSD, and AIX.

Windows and Linux are not vulnerable.

Proof of Concept

var pid = require('pidusage');
pid.stat('1 && /usr/local/bin/python');

Remediation

Update to version 1.1.5 or later.

Database specific

{
    "nvd_published_at": "2017-11-17T01:29:00Z",
    "cwe_ids": [
        "CWE-78"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-22T23:18:39Z"
}

References

Affected packages

npm / pidusage

Package

Name: pidusage; View open source insights on deps.dev
Purl: pkg:npm/pidusage

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.1.5

Database specific

{
    "last_known_affected_version_range": "<= 1.1.4"
}