⚠ Actively exploited
Added to CISA KEV on 2022-01-18. Federal agencies required to patch by 2022-02-01. Required action: Apply updates per vendor instructions..
CVE-2021-21315
Severity
7.8HIGH
EPSS
94.0%
top 0.11%
CISA KEV
KEV
Added 2022-01-18
Due 2022-02-01
Exploit
Exploited in wild
Active exploitation observed
Timeline
PublishedFeb 16
KEV addedJan 18
KEV dueFeb 1
Latest updateJul 21
CISA Required Action: Apply updates per vendor instructions.
Description
The System Information Library for Node.JS (npm package "systeminformation") is an open source collection of functions to retrieve detailed hardware, system and OS information. In systeminformation before version 5.3.1 there is a command injection vulnerability. Problem was fixed in version 5.3.1. As a workaround instead of upgrading, be sure to check or sanitize service parameters that are passed to si.inetLatency(), si.inetChecksite(), si.services(), si.processLoad() ... do only allow strings,…
CVSS vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:NExploitability: 2.5 | Impact: 4.0
Affected Packages4 packages
Patches
🔴Vulnerability Details
4💥Exploits & PoCs
1Nuclei▶
Node.JS System Information Library <5.3.1 - Remote Command Injection
🔍Detection Rules
1Suricata
▶
📋Vendor Advisories
1🕵️Threat Intelligence
1Unit42
▶