This affects all versions of package port-killer. If (attacker-controlled) user input is given, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization. Running this PoC will cause the command touch success to be executed, leading to the creation of a file called success.
References
Link | Resource |
---|---|
https://github.com/tylerjpeterson/port-killer/blob/1ca3a99ad80cc9ed5498d12b185189c10329025b/index.js%23L19 | Broken Link |
https://snyk.io/vuln/SNYK-JS-PORTKILLER-1078533 | Exploit Third Party Advisory |
Configurations
History
No history.
Information
Published : 2021-03-18 13:15
Updated : 2024-02-28 18:08
NVD link : CVE-2021-23359
Mitre link : CVE-2021-23359
CVE.ORG link : CVE-2021-23359
JSON object : View
Products Affected
port-killer_project
- port-killer
CWE
CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')