HIGH 7.8

GHSA-2m8v-572m-ff2v

Command Injection Vulnerability

Details

### Impact command injection vulnerability

### Patches Problem was fixed with a parameter check. Please upgrade to version >= 5.3.1

### Workarounds If you cannot upgrade, be sure to check or sanitize service parameters that are passed to si.inetLatency(), si.inetChecksite(), si.services(), si.processLoad() ... do only allow strings, reject any arrays. String sanitation works as expected.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / systeminformation

Introduced in: 0 Fixed in: 5.3.1

Fix npm install systeminformation@5.3.1

References

https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-2m8v-572m-ff2v [WEB]
https://nvd.nist.gov/vuln/detail/CVE-2021-21315 [ADVISORY]
https://github.com/sebhildebrandt/systeminformation/commit/07daa05fb06f24f96297abaa30c2ace8bfd8b525 [WEB]
https://github.com/sebhildebrandt/systeminformation [PACKAGE]
https://lists.apache.org/thread.html/r8afea9a83ed568f2647cccc6d8d06126f9815715ddf9a4d479b26b05%40%3Cissues.cordova.apache.org%3E [WEB]
https://lists.apache.org/thread.html/r8afea9a83ed568f2647cccc6d8d06126f9815715ddf9a4d479b26b05@%3Cissues.cordova.apache.org%3E [WEB]
https://security.netapp.com/advisory/ntap-20210312-0007 [WEB]
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-21315 [WEB]
https://www.npmjs.com/package/systeminformation [WEB]