प्लेटफ़ॉर्म
nodejs
घटक
tree-kill
में ठीक किया गया
1.2.2
CVE-2019-15598 is a Command Injection vulnerability discovered in the tree-kill Node.js module. This flaw allows an attacker to execute arbitrary commands on the system if they can control the input provided to the tree-kill function. The vulnerability affects versions prior to 1.2.2 and can lead to complete system compromise. A patch was released in version 1.2.2.
The impact of CVE-2019-15598 is severe. An attacker can leverage this vulnerability to execute arbitrary commands with the privileges of the Node.js process. This could involve installing malware, stealing sensitive data, modifying system files, or establishing a persistent backdoor. The attack is particularly concerning because it can be triggered remotely via a crafted input string, potentially bypassing traditional security controls. The provided proof-of-concept demonstrates the ease with which an attacker can create a file named HACKED.txt on the system, indicating successful command execution.
This vulnerability was publicly disclosed in 2019 but gained renewed attention with the release of a clear proof-of-concept in 2022. While not currently listed on KEV, the high CVSS score and readily available exploit suggest a medium probability of exploitation. Public proof-of-concept code is available, making it relatively easy for attackers to exploit the vulnerability. The NVD was published on May 24, 2022.
Applications and systems utilizing the tree-kill Node.js module in their dependencies are at risk. This includes projects that rely on tree-kill for process management or tree traversal. Specifically, applications with weak input validation or those running with elevated privileges are particularly vulnerable.
• nodejs / supply-chain:
Get-Process | Where-Object {$_.ProcessName -like '*node*'} | Select-Object -ExpandProperty Path• nodejs / supply-chain:
Get-ChildItem -Path Env:NODE_PATH -Recurse -Filter "tree-kill*" | Select-Object -ExpandProperty FullName• generic web:
find / -name "node_modules/tree-kill" 2>/dev/nulldiscovery
disclosure
patch
एक्सप्लॉइट स्थिति
EPSS
3.75% (88% शतमक)
CVSS वेक्टर
The primary mitigation for CVE-2019-15598 is to upgrade the tree-kill module to version 1.2.2 or later. If upgrading is not immediately feasible, consider implementing input sanitization to validate and escape any user-supplied data passed to the tree-kill function. This could involve using a library specifically designed for command injection prevention. Additionally, restrict the permissions of the Node.js process to minimize the potential damage from a successful exploit. There are no specific WAF rules or detection signatures readily available, making input validation the most critical defense.
Actualice la utilidad treekill a una versión parcheada que solucione la vulnerabilidad de inyección de código. Esto evitará la ejecución remota de código si un atacante controla la entrada al comando. Consulte las notas de la versión o el sitio web del proveedor para obtener instrucciones específicas de actualización.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2019-15598 is a critical Command Injection vulnerability in the tree-kill Node.js module, allowing attackers to execute arbitrary commands on the system.
You are affected if you are using a version of the tree-kill module prior to 1.2.2 and are not properly sanitizing input to the tree-kill function.
Upgrade the tree-kill module to version 1.2.2 or later. If upgrading is not possible, implement robust input sanitization to prevent command injection.
While there are no confirmed reports of active exploitation, the vulnerability's high CVSS score and readily available proof-of-concept code suggest a potential risk.
Refer to the npm advisory for CVE-2019-15598: https://www.npmjs.com/advisories/1031
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।