CVE-2017-16034

描述

Affected versions of `pidusage` pass unsanitized input to `child_process.exec()`, resulting in arbitrary code execution in the `ps` method. This package is vulnerable to this PoC on Darwin, SunOS, FreeBSD, and AIX. Windows and Linux are not vulnerable. ## Proof of Concept ``` var pid = require('pidusage'); pid.stat('1 && /usr/local/bin/python'); ``` ## Recommendation Update to version 1.1.5 or later.

受影響套件(1)

• npm/pidusagefrom 0, < 1.1.5

參考連結(2)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2017-16034
• WEBhttps://www.npmjs.com/advisories/356