CVE-2021-23356 Arbitrary Command Injection

2021-03-1516:40:18

snyk

www.cve.org

cve-2021-23356

arbitrary command injection

package kill-process-by-name

child_process exec

input sanitization

index.js file

CVSS3

5.6

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P

AI Score

9.9

Confidence

High

EPSS

0.005

Percentile

75.5%

JSON

This affects all versions of package kill-process-by-name. If (attacker-controlled) user input is given, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization in the index.js file.

CNA Affected

[
  {
    "product": "kill-process-by-name",
    "vendor": "n/a",
    "versions": [
      {
        "lessThan": "unspecified",
        "status": "affected",
        "version": "0",
        "versionType": "custom"
      }
    ]
  }
]