Arbitrary Command Injection

Affecting portprocesses package, versions <1.0.5

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

portprocesses is a This tool letes you list and kill processes on a specified port.

Affected versions of this package are vulnerable to Arbitrary Command Injection. If (attacker-controlled) user input is given to the killProcess function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.

PoC (provided by reporter):

var portprocesses = require('portprocesses');

portprocesses.killProcess('$(touch success)');

Remediation

Upgrade portprocesses to version 1.0.5 or higher.

References

CVSS Score

6.3
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    Low
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    Low
  • Availability
    Low
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P
Credit
OmniTaint
CVE
CVE-2021-23348
CWE
CWE-77
Snyk ID
SNYK-JS-PORTPROCESSES-1078536
Disclosed
23 Feb, 2021
Published
31 Mar, 2021