GHSA-884p-74jh-xrg2

Source

https://github.com/advisories/GHSA-884p-74jh-xrg2

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-884p-74jh-xrg2/GHSA-884p-74jh-xrg2.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-884p-74jh-xrg2

Aliases

CVE-2019-15599

Published

2020-09-04T16:57:20Z

Modified

2023-11-08T20:41:33.741103Z

Summary

Command Injection in tree-kill

Details

Versions of tree-kill prior to 1.2.2 are vulnerable to Command Injection. The package fails to sanitize values passed to the kill function. If this value is user-controlled it may allow attackers to run arbitrary commands in the server. The issue only affects Windows systems.

Recommendation

Upgrade to version 1.2.2 or later.

Database specific

{
    "cwe_ids": [
        "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-08-31T18:59:05Z",
    "nvd_published_at": null,
    "severity": "HIGH"
}

References

Affected packages

npm / tree-kill

Package

Name: tree-kill; View open source insights on deps.dev
Purl: pkg:npm/tree-kill

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.2.2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-884p-74jh-xrg2/GHSA-884p-74jh-xrg2.json"