GHSA-xfxf-qw26-hr33

Source

https://github.com/advisories/GHSA-xfxf-qw26-hr33

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-xfxf-qw26-hr33/GHSA-xfxf-qw26-hr33.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-xfxf-qw26-hr33

Aliases

CVE-2021-23380

Published

2021-05-06T15:55:43Z

Modified

2023-11-08T04:05:06.228033Z

Severity

5.6 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS Calculator

Summary

Arbitrary command execution in roar-pidusage

Details

This affects all current versions of package roar-pidusage. If attacker-controlled user input is given to the stat function of this package on certain operating systems, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.

Database specific

{
    "cwe_ids": [
        "CWE-77"
    ],
    "severity": "MODERATE",
    "github_reviewed_at": "2021-04-19T16:48:06Z",
    "github_reviewed": true,
    "nvd_published_at": "2021-04-18T19:15:00Z"
}

References

Affected packages

npm / roar-pidusage

Package

Name: roar-pidusage; View open source insights on deps.dev
Purl: pkg:npm/roar-pidusage

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

1.1.7