CVE-2021-21315

Description

The System Information Library for Node.JS (npm package "systeminformation") is an open source collection of functions to retrieve detailed hardware, system and OS information. In systeminformation before version 5.3.1 there is a command injection vulnerability. Problem was fixed in version 5.3.1. As a workaround instead of upgrading, be sure to check or sanitize service parameters that are passed to si.inetLatency(), si.inetChecksite(), si.services(), si.processLoad() ... do only allow strings, reject any arrays. String sanitation works as expected.

How to fix CVE-2021-21315

To remediate CVE-2021-21315, upgrade the affected package to a fixed version below.

• —no fix listed
• —upgrade to 5.3.1 or later

Is CVE-2021-21315 being exploited?

Yes — CVE-2021-21315 is on the CISA Known Exploited Vulnerabilities (KEV) catalog. Patch immediately.

Affected packages (2)

• from 0
• from 0, < 5.3.1

CVSS scores

References (10)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-21315
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2021-21315
• PATCHgithub.com/sebhildebrandt/systeminformation
• WEBgithub.com/sebhildebrandt/systeminformation/commit/07daa05fb06f24f96297abaa30c2ace8bfd8b525