CVE-2020-26300
published 2021-09-09CVE-2020-26300: systeminformation is an npm package that provides system and OS information library for node.js. In systeminformation before version 4.26.2 there is a command…
PriorityP353critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.41%
69.3th percentile
systeminformation is an npm package that provides system and OS information library for node.js. In systeminformation before version 4.26.2 there is a command injection vulnerability. Problem was fixed in version 4.26.2 with a shell string sanitation fix.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sebhildebrandt | systeminformation | < 4.26.2 | 4.26.2 |
| systeminformation | systeminformation | < 4.26.2 | 4.26.2 |
| systeminformation | systeminformation | >= 0 < 4.26.2 | 4.26.2 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Command Injection in systeminformation
ghsa·2020-10-27
CVE-2020-26300 [MEDIUM] CWE-78 Command Injection in systeminformation
Command Injection in systeminformation
### Impact
command injection vulnerability
### Patches
Problem was fixed with a shell string sanitation fix. Please upgrade to version >= 4.26.2
### Workarounds
If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to `is.services()`, `is.inetChecksite()`, `si.inetLatency()`, `si.networkStats()`, `is.services()` and `si.processLoad()`
### References
_Are there any links users can visit to find out more?_
### For more information
If you have any questions or comments about this advisory:
* Open an issue in [systeminformation](https://github.com/sebhildebrandt/systeminformation)
OSV
Command Injection in systeminformation
osv·2020-10-27
CVE-2020-26300 [MEDIUM] Command Injection in systeminformation
Command Injection in systeminformation
### Impact
command injection vulnerability
### Patches
Problem was fixed with a shell string sanitation fix. Please upgrade to version >= 4.26.2
### Workarounds
If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to `is.services()`, `is.inetChecksite()`, `si.inetLatency()`, `si.networkStats()`, `is.services()` and `si.processLoad()`
### References
_Are there any links users can visit to find out more?_
### For more information
If you have any questions or comments about this advisory:
* Open an issue in [systeminformation](https://github.com/sebhildebrandt/systeminformation)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/advisories/GHSA-fj59-f6c3-3vw4https://github.com/sebhildebrandt/systeminformation/commit/bad372e654cdd549e7d786acbba0035ded54c607https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-fj59-f6c3-3vw4https://www.npmjs.com/package/systeminformationhttps://github.com/advisories/GHSA-fj59-f6c3-3vw4https://github.com/sebhildebrandt/systeminformation/commit/bad372e654cdd549e7d786acbba0035ded54c607https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-fj59-f6c3-3vw4https://www.npmjs.com/package/systeminformation
2021-09-09
Published