CVE-2021-21315: System Information Library for Node.JS Command Injection
First published: Tue Feb 16 2021(Updated: )
### Impact command injection vulnerability ### Patches Problem was fixed with a parameter check. Please upgrade to version >= 5.3.1 ### Workarounds If you cannot upgrade, be sure to check or sanitize service parameters that are passed to si.inetLatency(), si.inetChecksite(), si.services(), si.processLoad() ... do only allow strings, reject any arrays. String sanitation works as expected.
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Npm package System Information Library for Node.JS | ||
| Systeminformation Systeminformation Node.js | <5.3.1 | |
| Apache Cordova | =10.0.0 | |
| npm/systeminformation | <5.3.1 | 5.3.1 |
Remedy
https://github.com/sebhildebrandt/systeminformation/commit/07daa05fb06f24f96297abaa30c2ace8bfd8b525
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/sebhildebrandt/systeminformation/commit/07daa05fb06f24f96297abaa30c2ace8bfd8b525
- https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-2m8v-572m-ff2v
- https://lists.apache.org/thread.html/r8afea9a83ed568f2647cccc6d8d06126f9815715ddf9a4d479b26b05%40%3Cissues.cordova.apache.org%3E
- https://security.netapp.com/advisory/ntap-20210312-0007/
- https://www.npmjs.com/package/systeminformation
- https://lists.apache.org/thread.html/r8afea9a83ed568f2647cccc6d8d06126f9815715ddf9a4d479b26b05@%3Cissues.cordova.apache.org%3E
- https://nvd.nist.gov/vuln/detail/CVE-2021-21315
- https://security.netapp.com/advisory/ntap-20210312-0007
- https://github.com/advisories/GHSA-2m8v-572m-ff2v (Advisory)
Frequently Asked Questions
What is CVE-2021-21315?
CVE-2021-21315 is a command injection vulnerability in the System Information Library for Node.js.
What is the severity of CVE-2021-21315?
The severity of CVE-2021-21315 is high with a CVSS score of 7.8.
How does CVE-2021-21315 affect the System Information Library for Node.js?
CVE-2021-21315 affects the System Information Library for Node.js versions before 5.3.1.
How can I fix CVE-2021-21315?
To fix CVE-2021-21315, update the systeminformation npm package to version 5.3.1 or higher.
Are there any references for CVE-2021-21315?
Yes, you can find references for CVE-2021-21315 at the following links: - [GitHub Commit](https://github.com/sebhildebrandt/systeminformation/commit/07daa05fb06f24f96297abaa30c2ace8bfd8b525) - [GitHub Advisory](https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-2m8v-572m-ff2v) - [Apache Cordova Mailing List](https://lists.apache.org/thread.html/r8afea9a83ed568f2647cccc6d8d06126f9815715ddf9a4d479b26b05@%3Cissues.cordova.apache.org%3E)
- agent/weakness
- agent/type
- agent/remedy
- agent/title
- exploited/true
- collector/cisa-known-exploited
- source/CISA
- agent/software-canonical-lookup
- agent/author
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-2m8v-572m-ff2v
- alias/CVE-2021-21315
- agent/references
- agent/first-publish-date
- agent/description
- agent/softwarecombine
- collector/nvd-cve
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/last-modified-date
- agent/event
- agent/tags
- collector/github-advisory
- vendor/npm package
- canonical/npm package system information library for node.js
- vendor/systeminformation
- canonical/systeminformation systeminformation node.js
- vendor/apache
- canonical/apache cordova
- version/apache cordova/10.0.0
- package-manager/npm