Description
This affects all versions of package roar-pidusage. If attacker-controlled user input is given to the stat function of this package on certain operating systems, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.
Remediation
References
https://snyk.io/vuln/SNYK-JS-ROARPIDUSAGE-1078528
https://github.com/Svjard/pidusage/blob/772cd2bd675ff7b1244b6fe3d7541692b1b9e42c/lib/stats.js%23L103
Related Vulnerabilities
CVE-2020-8116 Vulnerability in maven package org.webjars.npm:dot-prop
CVE-2017-16091 Vulnerability in npm package xtalk
CVE-2022-36527 Vulnerability in maven package com.jflyfox:jflyfox_jfinal
CVE-2023-48796 Vulnerability in maven package org.apache.dolphinscheduler:dolphinscheduler-worker
CVE-2020-13654 Vulnerability in maven package org.xwiki.platform:xwiki-platform-oldcore