CVE-2021-21315: System Information Library for Node.JS Command Injection
First published: Tue Feb 16 2021(Updated: )
The System Information Library for Node.JS (npm package "systeminformation") is an open source collection of functions to retrieve detailed hardware, system and OS information. In systeminformation before version 5.3.1 there is a command injection vulnerability. Problem was fixed in version 5.3.1. As a workaround instead of upgrading, be sure to check or sanitize service parameters that are passed to si.inetLatency(), si.inetChecksite(), si.services(), si.processLoad() ... do only allow strings, reject any arrays. String sanitation works as expected.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Systeminformation Systeminformation | <5.3.1 | |
| Npm package System Information Library for Node.JS | =10.0.0 | |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/sebhildebrandt/systeminformation/commit/07daa05fb06f24f96297abaa30c2ace8bfd8b525
- https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-2m8v-572m-ff2v
- https://lists.apache.org/thread.html/r8afea9a83ed568f2647cccc6d8d06126f9815715ddf9a4d479b26b05@%3Cissues.cordova.apache.org%3E
- https://security.netapp.com/advisory/ntap-20210312-0007/
- https://www.npmjs.com/package/systeminformation
Frequently Asked Questions
What is CVE-2021-21315?
CVE-2021-21315 is a command injection vulnerability in the System Information Library for Node.js.
What is the severity of CVE-2021-21315?
The severity of CVE-2021-21315 is high with a CVSS score of 7.8.
How does CVE-2021-21315 affect the System Information Library for Node.js?
CVE-2021-21315 affects the System Information Library for Node.js versions before 5.3.1.
How can I fix CVE-2021-21315?
To fix CVE-2021-21315, update the systeminformation npm package to version 5.3.1 or higher.
Are there any references for CVE-2021-21315?
Yes, you can find references for CVE-2021-21315 at the following links: - [GitHub Commit](https://github.com/sebhildebrandt/systeminformation/commit/07daa05fb06f24f96297abaa30c2ace8bfd8b525) - [GitHub Advisory](https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-2m8v-572m-ff2v) - [Apache Cordova Mailing List](https://lists.apache.org/thread.html/r8afea9a83ed568f2647cccc6d8d06126f9815715ddf9a4d479b26b05@%3Cissues.cordova.apache.org%3E)
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/title
- agent/type
- agent/weakness
- exploited/true
- collector/cisa-known-exploited
- source/CISA
- agent/software-canonical-lookup
- collector/nvd-index
- vendor/npm package
- canonical/npm package system information library for node.js
- vendor/systeminformation
- canonical/systeminformation systeminformation
- vendor/apache
- version/npm package system information library for node.js/10.0.0