Skip to content

Command Injection Vulnerability

Moderate
sebhildebrandt published GHSA-2m8v-572m-ff2v Feb 14, 2021

Package

npm systeminformation (npm)

Affected versions

5.3.1

Patched versions

5.3.1

Description

Impact

command injection vulnerability

Patches

Problem was fixed with a parameter check. Please upgrade to version >= 5.3.1

Workarounds

If you cannot upgrade, be sure to check or sanitize service parameters that are passed to si.inetLatency(), si.inetChecksite(), si.services(), si.processLoad() ... do only allow strings, reject any arrays. String sanitation works as expected.

Severity

Moderate

CVE ID

CVE-2021-21315

Weaknesses

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. Learn more on MITRE.