The System Information Library for Node.JS (npm package "systeminformation") is an open source collection of functions to retrieve detailed hardware, system and OS information. In systeminformation before version 5.3.1 there is a command injection vulnerability. Problem was fixed in version 5.3.1. As a workaround instead of upgrading, be sure to check or sanitize service parameters that are passed to si.inetLatency(), si.inetChecksite(), si.services(), si.processLoad() ... do only allow strings, reject any arrays. String sanitation works as expected.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2021-02-16T17:00:18

Updated: 2024-08-03T18:09:15.260Z

Reserved: 2020-12-22T00:00:00

Link: CVE-2021-21315

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2021-02-16T17:15:13.050

Modified: 2024-11-21T05:48:00.287

Link: CVE-2021-21315

cve-icon Redhat

No data.