CVE-2021-23380 – roar-pidusage

Package

Manager: npm
Name: roar-pidusage
Vulnerable Version: >=0 <=1.1.7

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00496 pctl0.64812

Details

Arbitrary command execution in roar-pidusage This affects all current versions of package roar-pidusage. If attacker-controlled user input is given to the stat function of this package on certain operating systems, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.

Metadata

Created: 2021-05-06T15:55:43Z
Modified: 2022-07-05T18:02:04Z
Source: MANUAL
CWE IDs: ["CWE-77"]
Alternative ID: GHSA-xfxf-qw26-hr33
Finding: F422
Auto approve: 1