CVE-2019-15599

描述

Versions of `tree-kill` prior to 1.2.2 are vulnerable to Command Injection. The package fails to sanitize values passed to the `kill` function. If this value is user-controlled it may allow attackers to run arbitrary commands in the server. The issue only affects Windows systems. ## Recommendation Upgrade to version 1.2.2 or later.

如何修補 CVE-2019-15599

要修補 CVE-2019-15599,請將受影響套件升級到下列已修補版本。

• npm/tree-kill—升級至 1.2.2 或更新版本

CVE-2019-15599 正在被利用嗎?

低 — EPSS 為 3.8%,目前沒有觀察到大規模利用活動。

受影響套件(1)

• from 0, < 1.2.2

參考連結(5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-15599
• PATCHgithub.com/pkrumins/node-tree-kill
• WEBgithub.com/pkrumins/node-tree-kill/commit/deee138a8cbc918463d8af5ce8c2bec33c3fd164
• WEBgithub.com/pkrumins/node-tree-kill/releases/tag/v1.2.2