Miggo Logo
Miggo Vulnerability Database
GHSA-9px9-f7jw-fwhj

GHSA-9px9-f7jw-fwhj: Command Injection in priest-runner

N/A

CVSS Score

Basic Information

CVE ID
-
GHSA ID
GHSA-9px9-f7jw-fwhj
EPSS Score
-
CWE
CWE-77
Published
9/3/2020
Updated
1/9/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
-
Package NameEcosystemVulnerable VersionsFirst Patched Version
priest-runnernpm>= 0.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The GitHub Advisory explicitly identifies PriestController.prototype.createChild as the vulnerable function. The description confirms that user-controlled input from the POST request is used in a spawn call without sanitization, which is a textbook command injection vector. No other functions are mentioned in the provided vulnerability details, and the lack of input validation aligns with CWE-77.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ll v*rsions o* `pri*st-runn*r` *r* vuln*r**l* to *omm*n* Inj**tion. T** p**k*** **ils to s*nitiz* input *n* p*ss*s it *ir**tly to * `sp*wn` **ll, w*i** m*y *llow *tt**k*rs to *x**ut* *r*itr*ry *o** in t** syst*m. T** `Pri*st*ontroll*r.prototyp*.*r**

Reasoning

T** *it*u* **visory *xpli*itly i**nti*i*s `Pri*st*ontroll*r.prototyp*.*r**t***il*` *s t** vuln*r**l* *un*tion. T** **s*ription *on*irms t**t us*r-*ontroll** input *rom t** POST r*qu*st is us** in * `sp*wn` **ll wit*out s*nitiz*tion, w*i** is * t*xt*o