Arbitrary Command Injection

Affecting ps-visitor package, ALL versions

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

ps-visitor is a Node.js visit command ps aux and kill.

Affected versions of this package are vulnerable to Arbitrary Command Injection. If attacker-controlled user input is given to the kill function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.

PoC (provided by reporter):

var ps_visitor = require('ps-visitor');
ps_visitor.kill('$(touch success)');

(A file called success will be created as a result of the execution of touch success.)

Remediation

There is no fixed version for ps-visitor.

References

CVSS Score

7.3
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    Low
  • Availability
    Low
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P
Credit
OmniTaint
CVE
CVE-2021-23374
CWE
CWE-77
Snyk ID
SNYK-JS-PSVISITOR-1078544
Disclosed
18 Apr, 2021
Published
18 Apr, 2021