CVE-2021-23348 — Arbitrary Command Injection in portprocesses

Description

### Impact An Arbitrary Command Injection vulnerability was reported in `portprocesses` impacting versions <= 1.0.4. ### Example (Proof of Concept) The following example demonstrates the vulnerability and will run `touch success` therefore creating a file named `success`. ```js const portprocesses = require("portprocesses"); portprocesses.killProcess("$(touch success)"); ```

How to fix CVE-2021-23348

To remediate CVE-2021-23348, upgrade the affected package to a fixed version below.

—upgrade to 1.0.5 or later

Is CVE-2021-23348 being exploited?

Low — EPSS is 1.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.0.5

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-23348
WEBgithub.com/rrainn/PortProcesses/blob/fffceb09aff7180afbd0bd172e820404b33c8299/index.js%23L23
WEBgithub.com/rrainn/PortProcesses/commit/86811216c9b97b01b5722f879f8c88a7aa4214e1
WEBgithub.com/rrainn/PortProcesses/security/advisories/GHSA-vm67-7vmg-66vm