Description
This affects all versions of package roar-pidusage. If attacker-controlled user input is given to the stat function of this package on certain operating systems, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.
Remediation
References
https://github.com/Svjard/pidusage/blob/772cd2bd675ff7b1244b6fe3d7541692b1b9e42c/lib/stats.js%23L103
https://snyk.io/vuln/SNYK-JS-ROARPIDUSAGE-1078528
Related Vulnerabilities
CVE-2023-46494 Vulnerability in npm package @evershop/evershop
CVE-2023-30528 Vulnerability in maven package org.jenkins-ci.plugins:wso2id-oauth
CVE-2020-7633 Vulnerability in npm package apiconnect-cli-plugins
CVE-2022-39202 Vulnerability in npm package matrix-appservice-irc
CVE-2023-46650 Vulnerability in maven package com.coravy.hudson.plugins.github:github