Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Versions of `tree-kill` prior to 1.2.2 are vulnerable to Command Injection #16630

Closed
mikeIFTS opened this issue Jan 10, 2020 · 2 comments
Closed

Versions of `tree-kill` prior to 1.2.2 are vulnerable to Command Injection #16630

mikeIFTS opened this issue Jan 10, 2020 · 2 comments

Comments

@mikeIFTS
Copy link

@mikeIFTS mikeIFTS commented Jan 10, 2020

We use audit-ci to audit for possible security issues within one of our apps. Below is the error that was reported from the automated tool.

Looks like treekill may need to be updated to 1.2.2?
https://github.com/angular/angular/blob/master/yarn.lock#L71

References:

yarn run v1.21.1
$ /home/circleci/foo/frontend/node_modules/.bin/audit-ci --high
audit-ci version: 2.4.2
Yarn audit report results:
{
  "resolution": {
    "id": 1432,
    "path": "@angular-devkit/build-angular>tree-kill",
    "dev": false,
    "optional": false,
    "bundled": false
  },
  "advisory": {
    "findings": [
      {
        "version": "1.2.1",
        "paths": [
          "@angular-devkit/build-angular>tree-kill"
        ]
      }
    ],
    "id": 1432,
    "created": "2019-12-11T17:24:39.056Z",
    "updated": "2020-01-10T17:25:01.320Z",
    "deleted": null,
    "title": "Command Injection",
    "found_by": {
      "link": "",
      "name": "Michele Romano (mik317)",
      "email": ""
    },
    "reported_by": {
      "link": "",
      "name": "Michele Romano (mik317)",
      "email": ""
    },
    "module_name": "tree-kill",
    "cves": [],
    "vulnerable_versions": "<1.2.2",
    "patched_versions": ">=1.2.2",
    "overview": "Versions of `tree-kill` prior to 1.2.2 are vulnerable to Command Injection. The package fails to sanitize values passed to the  `kill` function. If this value is user-controlled it  may allow attackers to run arbitrary commands in the server. The issue only affects Windows systems.",
    "recommendation": "Upgrade to version 1.2.2 or later.",
    "references": "- [HackerOne report](https://hackerone.com/reports/701183)",
    "access": "public",
    "severity": "high",
    "cwe": "CWE-78",
    "metadata": {
      "module_type": "",
      "exploitability": 6,
      "affected_components": ""
    },
    "url": "https://npmjs.com/advisories/1432"
  }
}
{
  "vulnerabilities": {
    "info": 0,
    "low": 2,
    "moderate": 0,
    "high": 1,
    "critical": 0
  },
  "dependencies": 24360,
  "devDependencies": 0,
  "optionalDependencies": 0,
  "totalDependencies": 24360
}
@AndrewKushnir AndrewKushnir transferred this issue from angular/angular Jan 10, 2020
@alan-agius4

This comment has been minimized.

Copy link
Collaborator

@alan-agius4 alan-agius4 commented Jan 10, 2020

Duplicate of #16629

@alan-agius4 alan-agius4 marked this as a duplicate of #16630 Jan 10, 2020
@alan-agius4 alan-agius4 marked this as a duplicate of #16629 Jan 10, 2020
@cwilby

This comment has been minimized.

Copy link

@cwilby cwilby commented Jan 13, 2020

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.