Fluid Attacks Database

Description

Command Injection Vulnerability

Impact

command injection vulnerability

Patches

Problem was fixed with a parameter check. Please upgrade to version >= 5.3.1

Workarounds

If you cannot upgrade, be sure to check or sanitize service parameters that are passed to si.inetLatency(), si.inetChecksite(), si.services(), si.processLoad() ... do only allow strings, reject any arrays. String sanitation works as expected.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
npm	systeminformation	>=0 <5.3.1	5.3.1

Aliases

1. CVE-2021-213152. NVD-2021-213153. OSV-2021-213154. GHSA-2m8v-572m-ff2v5. GCVE-2021-21315

References

1. https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-2m8v-572m-ff2v2. https://github.com/sebhildebrandt/systeminformation/commit/07daa05fb06f24f96297abaa30c2ace8bfd8b5253. https://lists.apache.org/thread.html/r8afea9a83ed568f2647cccc6d8d06126f9815715ddf9a4d479b26b05%40%3Cissues.cordova.apache.org%3E4. https://lists.apache.org/thread.html/r8afea9a83ed568f2647cccc6d8d06126f9815715ddf9a4d479b26b05@%3Cissues.cordova.apache.org%3E5. https://security.netapp.com/advisory/ntap-20210312-00076. https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-213157. https://www.npmjs.com/package/systeminformation8. https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-21315.yaml9. https://github.com/ForbiddenProgrammer/CVE-2021-21315-PoC

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.