Home > Vulnerability Database > WS-2021-0630

Mend.io Vulnerability Database

WS-2021-0630

Good to know:

Date: September 13, 2021

There is "OS Command Injection" vulnerability on "is-program-installed" npm package before 2.3.4. This package tries to understand the given parameter name (program or binary name) is installed in the computer or not. However, since this package does not properly control the characters in the program name taken as input, it is possible to run commands on the operating system.

Language: JS

Severity Score

8.4

Related Resources (2)

Url: https://github.com/zacanger/is-program-installed/commit/d96b35fa45c7311872f0d358f69fb5974d5da8f6

Url: https://www.mend.io/vulnerability-database/WS-2021-0630

Severity Score

8.4

Weakness Type (CWE)

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-78

Top Fix

Upgrade Version

Upgrade to version is-program-installed - 2.3.4

Learn More

CVSS v3.1

Base Score:	8.4
Attack Vector (AV):	LOCAL
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

WS-2021-0630

Good to know:

Date: September 13, 2021

Language: JS

Severity Score

Related Resources (2)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?