CVE-2021-21388
published 2021-04-29CVE-2021-21388: systeminformation is an open source system and OS information library for node.js. A command injection vulnerability has been discovered in versions of…
PriorityP355critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.85%
76.5th percentile
systeminformation is an open source system and OS information library for node.js. A command injection vulnerability has been discovered in versions of systeminformation prior to 5.6.4. The issue has been fixed with a parameter check on user input. Please upgrade to version >= 5.6.4. If you cannot upgrade, be sure to check or sanitize service parameters that are passed to si.inetLatency(), si.inetChecksite(), si.services(), si.processLoad() and other commands. Only allow strings, reject any arrays. String sanitation works as expected.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sebhildebrandt | systeminformation | < 5.6.4 | 5.6.4 |
| systeminformation | systeminformation | < 5.6.4 | 5.6.4 |
| systeminformation | systeminformation | >= 0 < 5.6.4 | 5.6.4 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Command Injection Vulnerability in systeminformation
ghsa·2021-04-06
CVE-2021-21388 [HIGH] CWE-77 Command Injection Vulnerability in systeminformation
Command Injection Vulnerability in systeminformation
### Impact
command injection vulnerability
### Patches
Problem was fixed with a parameter check. Please upgrade to version >= 5.6.4
### Workarounds
If you cannot upgrade, be sure to check or sanitize service parameters that are passed to si.inetLatency(), si.inetChecksite(), si.services(), si.processLoad() ... do only allow strings, reject any arrays. String sanitation works as expected.
OSV
Command Injection Vulnerability in systeminformation
osv·2021-04-06
CVE-2021-21388 [HIGH] Command Injection Vulnerability in systeminformation
Command Injection Vulnerability in systeminformation
### Impact
command injection vulnerability
### Patches
Problem was fixed with a parameter check. Please upgrade to version >= 5.6.4
### Workarounds
If you cannot upgrade, be sure to check or sanitize service parameters that are passed to si.inetLatency(), si.inetChecksite(), si.services(), si.processLoad() ... do only allow strings, reject any arrays. String sanitation works as expected.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/sebhildebrandt/systeminformation/commit/01ef56cd5824ed6da1c11b37013a027fdef67524https://github.com/sebhildebrandt/systeminformation/commit/0be6fcd575c05687d1076d5cd6d75af2ebae5a46https://github.com/sebhildebrandt/systeminformation/commit/7922366d707de7f20995fc8e30ac3153636bf35fhttps://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-jff2-qjw8-5476https://www.npmjs.com/package/systeminformationhttps://github.com/sebhildebrandt/systeminformation/commit/01ef56cd5824ed6da1c11b37013a027fdef67524https://github.com/sebhildebrandt/systeminformation/commit/0be6fcd575c05687d1076d5cd6d75af2ebae5a46https://github.com/sebhildebrandt/systeminformation/commit/7922366d707de7f20995fc8e30ac3153636bf35fhttps://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-jff2-qjw8-5476https://www.npmjs.com/package/systeminformation
2021-04-29
Published