First published: Tue Feb 16 2021(Updated: )
The System Information Library for Node.JS (npm package "systeminformation") is an open source collection of functions to retrieve detailed hardware, system and OS information. In systeminformation before version 5.3.1 there is a command injection vulnerability. Problem was fixed in version 5.3.1. As a workaround instead of upgrading, be sure to check or sanitize service parameters that are passed to si.inetLatency(), si.inetChecksite(), si.services(), si.processLoad() ... do only allow strings, reject any arrays. String sanitation works as expected.
Credit: security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
Systeminformation Systeminformation | <5.3.1 | |
Npm package System Information Library for Node.JS | =10.0.0 | |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-21315 is a command injection vulnerability in the System Information Library for Node.js.
The severity of CVE-2021-21315 is high with a CVSS score of 7.8.
CVE-2021-21315 affects the System Information Library for Node.js versions before 5.3.1.
To fix CVE-2021-21315, update the systeminformation npm package to version 5.3.1 or higher.
Yes, you can find references for CVE-2021-21315 at the following links: - [GitHub Commit](https://github.com/sebhildebrandt/systeminformation/commit/07daa05fb06f24f96297abaa30c2ace8bfd8b525) - [GitHub Advisory](https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-2m8v-572m-ff2v) - [Apache Cordova Mailing List](https://lists.apache.org/thread.html/r8afea9a83ed568f2647cccc6d8d06126f9815715ddf9a4d479b26b05@%3Cissues.cordova.apache.org%3E)