Arbitrary Command Injection

Affecting pidusage package, versions <1.1.5

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

pidusage is a package for Cross-platform process cpu % and memory usage of a PID. Affected versions of the package are vulnerable to Arbitrary Command Injection. It passes user input to child_process.exec without sanitization, which causes a command injection vulnerability in the ps function due to never casting the PID to an integer.

PoC:

var pid = require('pidusage');
pid.stat('1 && /usr/local/bin/python');

Remediation

Upgrade pidusage to version 1.1.5 or higher.

References

CVSS Score

8.4
high severity
  • Attack Vector
    Local
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    High
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Credit
micaksica
CVE
CVE-2017-1000220 CVE-2017-16034
CWE
CWE-77
Snyk ID
npm:pidusage:20170605
Disclosed
05 Jun, 2017
Published
07 Jun, 2017