Main Vulnerability Database SB2021040607

SB2021040607 - Command Injection in kill-by-port package for npm

Published: April 6, 2021

Security Bulletin ID SB2021040607

CSH Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Command Injection (CVE-ID: CVE-2021-23363)

The vulnerability allows a remote attacker to execute arbitrary commands on the target system.

The vulnerability exists due to improper input validation in the "killByPort" function. A remote authenticated attacker can pass specially crafted data to the application and execute arbitrary commands on the target system.

Remediation

Install update from vendor's website.

References

https://github.com/GuyMograbi/kill-by-port/blob/16dcbe264b6b4a5ecf409661b42836dd286fd43f/index.js%23L8
https://github.com/GuyMograbi/kill-by-port/commit/ea5b1f377e196a4492e05ff070eba8b30b7372c4
https://snyk.io/vuln/SNYK-JS-KILLBYPORT-1078531