Description

All versions including 0.0.4 of lsof npm module are vulnerable to Command Injection. Every exported method used by the package uses the exec function to parse user input.

Remediation

References

https://snyk.io/vuln/SNYK-JS-LSOF-543632

Related Vulnerabilities

CVE-2022-36097 Vulnerability in maven package org.xwiki.platform:xwiki-platform-attachment-ui

CVE-2019-0230 Vulnerability in maven package org.apache.struts:struts2-core

CVE-2020-7643 Vulnerability in npm package paypal-adaptive

CVE-2021-42697 Vulnerability in maven package com.typesafe.akka:akka-http

CVE-2022-21830 Vulnerability in npm package @rocket.chat/livechat

Severity

Critical

Classification

CWE-78 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Exploit Third Party Advisory