CVE-2021-21388
8.9
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:H
Summary
systeminformation is an open source system and OS information library for node.js. A command injection vulnerability has been discovered in versions of systeminformation prior to 5.6.4. The issue has been fixed with a parameter check on user input. Please upgrade to version >= 5.6.4. If you cannot upgrade, be sure to check or sanitize service parameters that are passed to si.inetLatency(), si.inetChecksite(), si.services(), si.processLoad() and other commands. Only allow strings, reject any arrays. String sanitation works as expected.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| sebhildebrandt | systeminformation | < 5.6.4 | affected |
Weaknesses
- CWE-20: CWE-20: Improper Input Validation
- CWE-78: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
ADP Enrichment
CVE Program Container
Additional References
- https://www.npmjs.com/package/systeminformation
- https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-jff2-qjw8-5476
- https://github.com/sebhildebrandt/systeminformation/commit/01ef56cd5824ed6da1c11b37013a027fdef67524
- https://github.com/sebhildebrandt/systeminformation/commit/0be6fcd575c05687d1076d5cd6d75af2ebae5a46
- https://github.com/sebhildebrandt/systeminformation/commit/7922366d707de7f20995fc8e30ac3153636bf35f
References
- https://www.npmjs.com/package/systeminformation
- https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-jff2-qjw8-5476
- https://github.com/sebhildebrandt/systeminformation/commit/01ef56cd5824ed6da1c11b37013a027fdef67524
- https://github.com/sebhildebrandt/systeminformation/commit/0be6fcd575c05687d1076d5cd6d75af2ebae5a46
- https://github.com/sebhildebrandt/systeminformation/commit/7922366d707de7f20995fc8e30ac3153636bf35f
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.