Description
This affects all versions of package roar-pidusage. If attacker-controlled user input is given to the stat function of this package on certain operating systems, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.
Affected Software
Related
{"id": "CVE-2021-23380", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2021-23380", "description": "This affects all versions of package roar-pidusage. If attacker-controlled user input is given to the stat function of this package on certain operating systems, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.", "published": "2021-04-18T19:15:00", "modified": "2022-06-28T14:11:00", "epss": [{"cve": "CVE-2021-23380", "epss": 0.00081, "percentile": 0.33701, "modified": "2023-12-03"}], "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 7.5}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.4}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-23380", "reporter": "report@snyk.io", "references": ["https://snyk.io/vuln/SNYK-JS-ROARPIDUSAGE-1078528", "https://github.com/Svjard/pidusage/blob/772cd2bd675ff7b1244b6fe3d7541692b1b9e42c/lib/stats.js%23L103"], "cvelist": ["CVE-2021-23380"], "immutableFields": [], "lastseen": "2023-12-03T14:43:33", "viewCount": 40, "enchantments": {"dependencies": {"references": [{"type": "github", "idList": ["GHSA-XFXF-QW26-HR33"]}, {"type": "osv", "idList": ["OSV:GHSA-XFXF-QW26-HR33"]}, {"type": "prion", "idList": ["PRION:CVE-2021-23380"]}, {"type": "veracode", "idList": ["VERACODE:30022"]}]}, "score": {"value": 7.4, "uncertanity": 0.0, "vector": "NONE"}, "twitter": {"counter": 2, "modified": "2021-04-19T09:50:24", "tweets": [{"link": "https://twitter.com/threatintelctr/status/1384054674710433799", "text": " NEW: CVE-2021-23380 This affects all versions of package roar-pidusage. If attacker-controlled user input is given to the stat function of this package on certain operating systems, it is possible for an attack... (click for more) https://t.co/7X78YDnCg2?amp=1"}, {"link": "https://twitter.com/threatintelctr/status/1384054674710433799", "text": " NEW: CVE-2021-23380 This affects all versions of package roar-pidusage. If attacker-controlled user input is given to the stat function of this package on certain operating systems, it is possible for an attack... (click for more) https://t.co/7X78YDnCg2?amp=1"}]}, "backreferences": {"references": [{"type": "github", "idList": ["GHSA-XFXF-QW26-HR33"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2021-23380", "epss": 0.00069, "percentile": 0.28382, "modified": "2023-05-07"}], "short_description": " \"roar-pidusage package allows arbitrary command execution.", "tags": ["cve-2021-23380", "package vulnerability", "command execution", "input sanitization", "nvd", "security advisory"], "vulnersScore": 7.4}, "_state": {"dependencies": 1701618697, "score": 1701616085, "affected_software_major_version": 0, "epss": 0, "chatgpt": 0}, "_internal": {"score_hash": "b162719bbb8cae1b52fe256dadc9b9a9", "chatgpt": "bcd8b0c2eb1fce714eab6cef0d771acc"}, "cna_cvss": {"cna": "snyk", "cvss": {"3": {"vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P", "score": 5.6}}}, "cpe": ["cpe:/a:roar-pidusage_project:roar-pidusage:*"], "cpe23": ["cpe:2.3:a:roar-pidusage_project:roar-pidusage:*:*:*:*:*:node.js:*:*"], "cwe": ["CWE-78"], "affectedSoftware": [{"cpeName": "roar-pidusage_project:roar-pidusage", "version": "*", "operator": "eq", "name": "roar-pidusage project roar-pidusage"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:roar-pidusage_project:roar-pidusage:*:*:*:*:*:node.js:*:*", "cpe_name": []}]}]}, "extraReferences": [{"url": "https://snyk.io/vuln/SNYK-JS-ROARPIDUSAGE-1078528", "name": "https://snyk.io/vuln/SNYK-JS-ROARPIDUSAGE-1078528", "refsource": "MISC", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/Svjard/pidusage/blob/772cd2bd675ff7b1244b6fe3d7541692b1b9e42c/lib/stats.js%23L103", "name": "https://github.com/Svjard/pidusage/blob/772cd2bd675ff7b1244b6fe3d7541692b1b9e42c/lib/stats.js%23L103", "refsource": "MISC", "tags": ["Broken Link"]}], "product_info": [{"vendor": "Roar-pidusage_project", "product": "Roar-pidusage"}], "solutions": [], "workarounds": [], "impacts": [], "problemTypes": [{"descriptions": [{"description": "Arbitrary Command Injection", "lang": "en", "type": "text"}]}], "exploits": [], "assigned": "2021-01-08T00:00:00"}
{"osv": [{"lastseen": "2022-07-05T23:02:03", "description": "This affects all current versions of package roar-pidusage. If attacker-controlled user input is given to the stat function of this package on certain operating systems, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "baseScore": 7.3, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.4}, "published": "2021-05-06T15:55:43", "type": "osv", "title": "Arbitrary command execution in roar-pidusage", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-23380"], "modified": "2022-07-05T18:02:04", "id": "OSV:GHSA-XFXF-QW26-HR33", "href": "https://osv.dev/vulnerability/GHSA-xfxf-qw26-hr33", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "prion": [{"lastseen": "2023-11-22T00:38:21", "description": "This affects all versions of package roar-pidusage. If attacker-controlled user input is given to the stat function of this package on certain operating systems, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2021-04-18T19:15:00", "type": "prion", "title": "Design/Logic Flaw", "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-23380"], "modified": "2022-06-28T14:11:00", "id": "PRION:CVE-2021-23380", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2021-23380", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "veracode": [{"lastseen": "2023-04-18T06:52:10", "description": "roar-pidusage is vulnerable to arbitrary code execution. The vulnerability exists due to the lack of sanitization of user-provided input which is directly used in the `child_process.exec` function.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2021-04-19T04:52:13", "type": "veracode", "title": "Arbitrary Code Execution", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-23380"], "modified": "2021-04-23T05:27:09", "id": "VERACODE:30022", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-30022/summary", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "github": [{"lastseen": "2023-12-03T17:29:07", "description": "This affects all current versions of package roar-pidusage. If attacker-controlled user input is given to the stat function of this package on certain operating systems, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2021-05-06T15:55:43", "type": "github", "title": "Arbitrary command execution in roar-pidusage", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-23380"], "modified": "2023-01-27T05:00:54", "id": "GHSA-XFXF-QW26-HR33", "href": "https://github.com/advisories/GHSA-xfxf-qw26-hr33", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
CVE-2021-23380
