CVE-2021-21388 – systeminformation

Package

Manager: npm
Name: systeminformation
Vulnerable Version: >=0 <5.6.4

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:L/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00617 pctl0.6901

Details

Command Injection Vulnerability in systeminformation ### Impact command injection vulnerability ### Patches Problem was fixed with a parameter check. Please upgrade to version >= 5.6.4 ### Workarounds If you cannot upgrade, be sure to check or sanitize service parameters that are passed to si.inetLatency(), si.inetChecksite(), si.services(), si.processLoad() ... do only allow strings, reject any arrays. String sanitation works as expected.

Metadata

Created: 2021-04-06T17:30:14Z
Modified: 2021-04-29T17:22:56Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-jff2-qjw8-5476/GHSA-jff2-qjw8-5476.json
CWE IDs: ["CWE-77", "CWE-78"]
Alternative ID: GHSA-jff2-qjw8-5476
Finding: F404
Auto approve: 1