Skip to content
Permalink
Browse files Browse the repository at this point in the history
inetLatency() command injection vulnaribility fix
  • Loading branch information
sebhildebrandt committed Dec 11, 2020
1 parent 4f98f2f commit 1faadcb
Show file tree
Hide file tree
Showing 5 changed files with 27 additions and 2 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.md
Expand Up @@ -30,6 +30,7 @@ For major (breaking) changes - version 3 and 2 see end of page.

| Version | Date | Comment |
| -------------- | -------------- | -------- |
| 4.31.1 | 2020-12-11 | `inetLatency()` command injection vulnaribility fix |
| 4.31.0 | 2020-12-06 | `osInfo()` added FQDN |
| 4.30.11 | 2020-12-02 | `cpu()` bug fix speed parsing |
| 4.30.10 | 2020-12-01 | `cpu()` handled speed parsing error (Apple Silicon) |
Expand Down
5 changes: 5 additions & 0 deletions docs/history.html
Expand Up @@ -83,6 +83,11 @@ <h3>Full version history</h3>
</tr>
</thead>
<tbody>
<tr>
<th scope="row">4.31.1</th>
<td>2020-12-06</td>
<td><span class="code">inetLatency()</span> command injection vulnaribility fix</td>
</tr>
<tr>
<th scope="row">4.31.0</th>
<td>2020-12-06</td>
Expand Down
4 changes: 2 additions & 2 deletions docs/index.html
Expand Up @@ -165,11 +165,11 @@
<body>
<header class="bg-image-full">
<div class="container">
<a href="security.html" class="recommendation">Security advisory:<br>Update to v4.30.5</a>
<a href="security.html" class="recommendation">Security advisory:<br>Update to v4.31.1</a>
<img class="logo" src="assets/logo.png">
<div class="title">systeminformation</div>
<div class="subtitle"><span id="typed"></span></div>
<div class="version">Current Version: <span id="version">4.31.0</span></div>
<div class="version">Current Version: <span id="version">4.31.1</span></div>
<button class="btn btn-light" onclick="location.href='https://github.com/sebhildebrandt/systeminformation'">View on Github <i class=" fab fa-github"></i></button>
</div>
<div class="down">
Expand Down
17 changes: 17 additions & 0 deletions docs/security.html
Expand Up @@ -42,6 +42,23 @@
<div class="col-12 sectionheader">
<div class="title">Security Advisories</div>
<div class="text">
<h2>Command Injection Vulnerability</h2>
<p><span class="bold">Affected versions:</span>
< 4.31.1<br>
<span class="bold">Date:</span> 2020-12-11<br>
<span class="bold">CVE indentifier</span> (not yet)
</p>

<h4>Impact</h4>
<p>Here we had an issue that there was a possibility to inject commands to the command line of your machine via systeminformation. Affected commands: <span class="code">inetLatency()</span>.</p>

<h4>Patch</h4>
<p>Problem was fixed with a shell string sanitation fix. Please upgrade to version >= 4.31.1</p>

<h4>Workarround</h4>
<p>If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to <span class="code">inetLatency()</span></p>


<h2>command injection vulnerability - prototype pollution</h2>
<p><span class="bold">Affected versions:</span>
< 4.30.5<br>
Expand Down
2 changes: 2 additions & 0 deletions lib/util.js
Expand Up @@ -521,6 +521,8 @@ function sanitizeShellString(str) {
s[i] === '\\' ||
s[i] === '\t' ||
s[i] === '\n' ||
s[i] === '\'' ||
s[i] === '`' ||
s[i] === '"')) {
result = result + s[i];
}
Expand Down

0 comments on commit 1faadcb

Please sign in to comment.