The systeminformation
package is an open source collection of functions to retrieve detailed hardware, system and OS information. In affected versions of systeminformation
there is a command injection vulnerability.
As a workaround instead of upgrading, be sure to check or sanitize service parameters that are passed to si.inetLatency()
, si.inetChecksite()
, si.services()
, si.processLoad()
… do only allow strings, reject any arrays. String sanitation works as expected.
Upgrade to version 5.3.1 or later