Lucene search

SnykCVELIST:CVE-2021-23379

HistoryApr 18, 2021 - 6:45 p.m.

CVE-2021-23379 Arbitrary Command Injection

2021-04-1818:45:26

snyk

www.cve.org

arbitrary command injection

package portkiller

input sanitization

CVSS3

7.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P

AI Score

9.9

Confidence

High

EPSS

0.005

Percentile

76.1%

JSON

This affects all versions of package portkiller. If (attacker-controlled) user input is given, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.

CNA Affected

[
  {
    "product": "portkiller",
    "vendor": "n/a",
    "versions": [
      {
        "lessThan": "unspecified",
        "status": "affected",
        "version": "0",
        "versionType": "custom"
      }
    ]
  }
]

References

github.com/indatawetrust/portkiller/blob/f1f1c5076d9c5d60e8dd3930e98d665d8191aa7a/index.js%23L10

snyk.io/vuln/SNYK-JS-PORTKILLER-1078537

CVSS3

7.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P

AI Score

9.9

Confidence

High

EPSS

0.005

Percentile

76.1%

JSON

Related for CVELIST:CVE-2021-23379