Vulnerability Description
This affects the package portprocesses before 1.0.5. If (attacker-controlled) user input is given to the killProcess function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Portprocesses Project | Portprocesses | < 1.0.5 |
Related Weaknesses (CWE)
References
- https://github.com/rrainn/PortProcesses/blob/fffceb09aff7180afbd0bd172e820404b33Broken Link
- https://github.com/rrainn/PortProcesses/commit/86811216c9b97b01b5722f879f8c88a7aPatchThird Party Advisory
- https://github.com/rrainn/PortProcesses/security/advisories/GHSA-vm67-7vmg-66vmExploitThird Party Advisory
- https://snyk.io/vuln/SNYK-JS-PORTPROCESSES-1078536ExploitThird Party Advisory
- https://github.com/rrainn/PortProcesses/blob/fffceb09aff7180afbd0bd172e820404b33Broken Link
- https://github.com/rrainn/PortProcesses/commit/86811216c9b97b01b5722f879f8c88a7aPatchThird Party Advisory
- https://github.com/rrainn/PortProcesses/security/advisories/GHSA-vm67-7vmg-66vmExploitThird Party Advisory
- https://snyk.io/vuln/SNYK-JS-PORTPROCESSES-1078536ExploitThird Party Advisory
FAQ
What is CVE-2021-23348?
CVE-2021-23348 is a vulnerability with a CVSS score of 6.3 (MEDIUM). This affects the package portprocesses before 1.0.5. If (attacker-controlled) user input is given to the killProcess function, it is possible for an attacker to execute arbitrary commands. This is due...
How severe is CVE-2021-23348?
CVE-2021-23348 has been rated MEDIUM with a CVSS base score of 6.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-23348?
Check the references section above for vendor advisories and patch information. Affected products include: Portprocesses Project Portprocesses.