CVE-2021-21315

Warning

EPSS 93.76%
Published 16.02.2021 17:15:13
Last modified 13.02.2025 20:06:17
Source security-advisories@github.com
Teams watchlist Login
Open Login

The System Information Library for Node.JS (npm package "systeminformation") is an open source collection of functions to retrieve detailed hardware, system and OS information. In systeminformation before version 5.3.1 there is a command injection vulnerability. Problem was fixed in version 5.3.1. As a workaround instead of upgrading, be sure to check or sanitize service parameters that are passed to si.inetLatency(), si.inetChecksite(), si.services(), si.processLoad() ... do only allow strings, reject any arrays. String sanitation works as expected.

Affected products Warnungen 1 Metrics 4 CWE 1 References 8

Data is provided by the National Vulnerability Database (NVD)

Systeminformation ≫ Systeminformation SwPlatformnode.js Version < 5.3.1

Apache ≫ Cordova Version10.0.0 SwPlatform-

18.01.2022: CISA Known Exploited Vulnerabilities (KEV) Catalog

System Information Library for Node.JS Command Injection

Vulnerability

In this vulnerability, an attacker can send a malicious payload that will exploit the name parameter. After successful exploitation, attackers can execute remote.

Description

Apply updates per vendor instructions.

Required actions

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	93.76%	0.999

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.8	1.8	5.9	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	4.6	3.9	6.4	AV:L/AC:L/Au:N/C:P/I:P/A:P
security-advisories@github.com	7.1	2.5	4	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

https://www.npmjs.com/package/systeminformation

Product

https://github.com/sebhildebrandt/systeminformation/commit/07daa05fb06f24f96297abaa30c2ace8bfd8b525

Patch

https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-2m8v-572m-ff2v

Third Party Advisory

https://lists.apache.org/thread.html/r8afea9a83ed568f2647cccc6d8d06126f9815715ddf9a4d479b26b05%40%3Cissues.cordova.apache.org%3E

Mailing List

Issue Tracking

https://security.netapp.com/advisory/ntap-20210312-0007/

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2021-21315

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-21315

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-21315

EUVD