CVE-2021-23380 — Arbitrary command execution in roar-pidusage

Description

This affects all current versions of package roar-pidusage. If attacker-controlled user input is given to the stat function of this package on certain operating systems, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.

How to fix CVE-2021-23380

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed

Is CVE-2021-23380 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, <= 1.1.7

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.6	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-23380
PATCHgithub.com/Svjard/pidusage
WEBgithub.com/Svjard/pidusage/blob/772cd2bd675ff7b1244b6fe3d7541692b1b9e42c/lib/stats.js%23L103
WEBsnyk.io/vuln/SNYK-JS-ROARPIDUSAGE-1078528