command injection vulnerability
Problem was fixed with a parameter check. Please upgrade to version >= 5.3.1
If you cannot upgrade, be sure to check or sanitize service parameters that are passed to si.inetLatency(), si.inetChecksite(), si.services(), si.processLoad() … do only allow strings, reject any arrays. String sanitation works as expected.
CPE | Name | Operator | Version |
---|---|---|---|
systeminformation | lt | 5.3.1 |
github.com/sebhildebrandt/systeminformation/commit/07daa05fb06f24f96297abaa30c2ace8bfd8b525
github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-2m8v-572m-ff2v
lists.apache.org/thread.html/r8afea9a83ed568f2647cccc6d8d06126f9815715ddf9a4d479b26b05@%3Cissues.cordova.apache.org%3E
nvd.nist.gov/vuln/detail/CVE-2021-21315
security.netapp.com/advisory/ntap-20210312-0007
www.npmjs.com/package/systeminformation