CVE-2017-1000220

描述

### Overview Affected versions of pidusage pass unsanitized input to `child_process.exec()`, resulting in arbitrary code execution in the `ps` method. This package is vulnerable to this PoC on Darwin, SunOS, FreeBSD, and AIX. Windows and Linux are not vulnerable. ### Proof of Concept ```js var pid = require('pidusage'); pid.stat('1 && /usr/local/bin/python'); ``` ### Remediation Update to version 1.1.5 or later.

受影響套件(1)

• npm/pidusagefrom 0, < 1.1.5

CVSS 分數

參考連結(4)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2017-1000220
• PATCHhttps://github.com/soyuka/pidusage
• WEBhttps://github.com/soyuka/pidusage/commit/b70eca15f7ca7f1b82a15f8a5d4bb48737f5a89d
• WEBhttps://web.archive.org/web/20201208183910/https://www.npmjs.com/advisories/356