CVE-2021-21315 – systeminformation

Package

Manager: npm
Name: systeminformation
Vulnerable Version: >=0 <5.3.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.93764 pctl0.99852

Details

Command Injection Vulnerability ### Impact command injection vulnerability ### Patches Problem was fixed with a parameter check. Please upgrade to version >= 5.3.1 ### Workarounds If you cannot upgrade, be sure to check or sanitize service parameters that are passed to si.inetLatency(), si.inetChecksite(), si.services(), si.processLoad() ... do only allow strings, reject any arrays. String sanitation works as expected.

Metadata

Created: 2021-02-16T16:51:04Z
Modified: 2024-07-25T15:00:42Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/02/GHSA-2m8v-572m-ff2v/GHSA-2m8v-572m-ff2v.json
CWE IDs: ["CWE-78"]
Alternative ID: GHSA-2m8v-572m-ff2v
Finding: F404
Auto approve: 1