CVE-2019-15599
Command Injection vulnerability in tree-kill (npm)
What is CVE-2019-15599 About?
Versions of `tree-kill` prior to 1.2.2 are vulnerable to Command Injection on Windows systems. This flaw allows attackers to execute arbitrary commands if user input is passed unsanitized to the `kill` function. Exploitation is straightforward for attackers with control over the input to the `kill` function.
Affected Software
Technical Details
The tree-kill package, in versions before 1.2.2, suffers from a Command Injection vulnerability, specifically affecting Windows environments. The kill function within the package fails to properly sanitize values provided as input. If an attacker can control the input to this kill function, they can inject arbitrary operating system commands. These injected commands are then executed by the underlying system due to the lack of input validation, providing the attacker with the ability to run arbitrary code on the affected Windows machine.
What is the Impact of CVE-2019-15599?
Successful exploitation may allow attackers to run arbitrary commands on the affected Windows system, leading to full system compromise, data theft, or service disruption.
What is the Exploitability of CVE-2019-15599?
Exploitation requires that an attacker can supply user-controlled input to the kill function of the tree-kill package. This vulnerability is specific to Windows systems. The complexity of crafting the malicious input is generally low. There are no authentication or privilege requirements beyond the ability to interact with the application using the tree-kill function. Access can be remote if the application exposes an interface that accepts user input and feeds it to the vulnerable function. The primary risk factor is the absence of input sanitization when processing user-controlled data within applications utilizing tree-kill.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2019-15599?
About the Fix from Resolved Security
Available Upgrade Options
- tree-kill
- <1.2.2 → Upgrade to 1.2.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/pkrumins/node-tree-kill/releases/tag/v1.2.2
- https://github.com/pkrumins/node-tree-kill/commit/deee138a8cbc918463d8af5ce8c2bec33c3fd164
- https://hackerone.com/reports/701183
- https://github.com/pkrumins/node-tree-kill
- https://osv.dev/vulnerability/GHSA-884p-74jh-xrg2
- https://hackerone.com/reports/701183
- https://nvd.nist.gov/vuln/detail/CVE-2019-15599
What are Similar Vulnerabilities to CVE-2019-15599?
Similar Vulnerabilities: CVE-2019-5414 , CVE-2019-10775 , CVE-2020-7608 , CVE-2020-14123 , CVE-2021-23424
