Skip to content

Command Injection Vulnerability

Moderate severity GitHub Reviewed Published Feb 14, 2021 in sebhildebrandt/systeminformation • Updated Feb 1, 2023

Package

npm systeminformation (npm)

Affected versions

< 5.3.1

Patched versions

5.3.1

Description

Impact

command injection vulnerability

Patches

Problem was fixed with a parameter check. Please upgrade to version >= 5.3.1

Workarounds

If you cannot upgrade, be sure to check or sanitize service parameters that are passed to si.inetLatency(), si.inetChecksite(), si.services(), si.processLoad() ... do only allow strings, reject any arrays. String sanitation works as expected.

References

Last updated Feb 1, 2023
Published by the National Vulnerability Database Feb 16, 2021
Published to the GitHub Advisory Database Feb 16, 2021
Reviewed Feb 16, 2021

Severity

Moderate

Weaknesses

CVE ID

CVE-2021-21315

GHSA ID

GHSA-2m8v-572m-ff2v

Source code

No known source code
Checking history
See something to contribute? Suggest improvements for this vulnerability.