Critical severityNVD Advisory· Published Sep 1, 2020· Updated Sep 23, 2021
Command Injection in pidusage
CVE-2017-16034
Description
Affected versions of pidusage pass unsanitized input to child_process.exec(), resulting in arbitrary code execution in the ps method.
This package is vulnerable to this PoC on Darwin, SunOS, FreeBSD, and AIX.
Windows and Linux are not vulnerable.
Proof of
Concept `` var pid = require('pidusage'); pid.stat('1 && /usr/local/bin/python'); ``
Recommendation
Update to version 1.1.5 or later.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pidusagenpm | < 1.1.5 | 1.1.5 |
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-hfq9-rfpv-j8r8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-16034ghsaADVISORY
- www.npmjs.com/advisories/356ghsaWEB
News mentions
0No linked articles in our index yet.