DATABASE RESOURCES PRICING ABOUT US

{"id": "CVE-2021-23355", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2021-23355", "description": "This affects all versions of package ps-kill. If (attacker-controlled) user input is given to the kill function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization in the index.js file. PoC (provided by reporter): var ps_kill = require('ps-kill'); ps_kill.kill('$(touch success)',function(){});", "published": "2021-03-15T17:15:00", "modified": "2022-06-28T14:11:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 7.5}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-23355", "reporter": "report@snyk.io", "references": ["https://snyk.io/vuln/SNYK-JS-PSKILL-1078529"], "cvelist": ["CVE-2021-23355"], "immutableFields": [], "lastseen": "2023-02-09T14:09:53", "viewCount": 23, "enchantments": {"dependencies": {"references": [{"type": "cnvd", "idList": ["CNVD-2022-13079"]}, {"type": "github", "idList": ["GHSA-7QMM-Q394-FMCH"]}, {"type": "osv", "idList": ["OSV:GHSA-7QMM-Q394-FMCH"]}, {"type": "veracode", "idList": ["VERACODE:29710"]}]}, "score": {"value": 5.0, "vector": "NONE"}, "backreferences": {"references": [{"type": "github", "idList": ["GHSA-7QMM-Q394-FMCH"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2021-23355", "epss": "0.002890000", "percentile": "0.640390000", "modified": "2023-03-17"}], "vulnersScore": 5.0}, "_state": {"dependencies": 1675958436, "score": 1675959367, "affected_software_major_version": 1677297687, "epss": 1679070268}, "_internal": {"score_hash": "c51d26078c9c2d2bcc734ca529993494"}, "cna_cvss": {"cna": "Snyk", "cvss": {"3": {"vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "score": 5.6}}}, "cpe": ["cpe:/a:ps-kill_project:ps-kill:*"], "cpe23": ["cpe:2.3:a:ps-kill_project:ps-kill:*:*:*:*:*:node.js:*:*"], "cwe": ["CWE-78"], "affectedSoftware": [{"cpeName": "ps-kill_project:ps-kill", "version": "*", "operator": "eq", "name": "ps-kill project ps-kill"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:ps-kill_project:ps-kill:*:*:*:*:*:node.js:*:*", "cpe_name": []}]}]}, "extraReferences": [{"url": "https://snyk.io/vuln/SNYK-JS-PSKILL-1078529", "name": "https://snyk.io/vuln/SNYK-JS-PSKILL-1078529", "refsource": "MISC", "tags": ["Exploit", "Third Party Advisory"]}], "product_info": [{"vendor": "Ps-kill_project", "product": "Ps-kill"}]}

{"veracode": [{"lastseen": "2022-07-26T13:32:17", "description": "ps-kill is vulnerable to remote code execution. The child_process exec function in index.js file does not sanitize the user-provided data to the kill function, allowing to execute malicious code via `var ps_kill = require('ps-kill'); ps_kill.kill('$(touch success)',function(){});`.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-16T03:48:29", "type": "veracode", "title": "Remote Code Execution (RCE)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-23355"], "modified": "2021-03-16T06:37:27", "id": "VERACODE:29710", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-29710/summary", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "github": [{"lastseen": "2023-02-01T05:08:17", "description": "This affects all versions of package ps-kill. If (attacker-controlled) user input is given to the kill function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization in the index.js file. PoC (provided by reporter): var ps_kill = require('ps-kill'); ps_kill.kill('$(touch success)',function(){});", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-19T21:19:29", "type": "github", "title": "Command Injection in ps-kill", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-23355"], "modified": "2023-02-01T05:05:17", "id": "GHSA-7QMM-Q394-FMCH", "href": "https://github.com/advisories/GHSA-7qmm-q394-fmch", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "osv": [{"lastseen": "2022-05-12T01:19:13", "description": "This affects all versions of package ps-kill. If (attacker-controlled) user input is given to the kill function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization in the index.js file. PoC (provided by reporter): var ps_kill = require('ps-kill'); ps_kill.kill('$(touch success)',function(){});", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-19T21:19:29", "type": "osv", "title": "Command Injection in ps-kill", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-23355"], "modified": "2021-03-25T00:17:34", "id": "OSV:GHSA-7QMM-Q394-FMCH", "href": "https://osv.dev/vulnerability/GHSA-7qmm-q394-fmch", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cnvd": [{"lastseen": "2022-11-04T13:52:40", "description": "Npm ps-kill is an application from Npm, Inc. Npm ps-kill is vulnerable to command injection, which can be exploited by attackers to execute arbitrary commands.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-17T00:00:00", "type": "cnvd", "title": "Npm ps-kill command injection vulnerability", "bulletinFamily": "cnvd", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-23355"], "modified": "2022-02-22T00:00:00", "id": "CNVD-2022-13079", "href": "https://www.cnvd.org.cn/flaw/show/CNVD-2022-13079", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}