CVE-2021-21315 Scanner
Detects 'OS Command Injection' vulnerability in System Information Library for Node.JS affects v. before 5.3.1.
Short Info
Level
High
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
15 sec
Time Interval
672 sec
Scan only one
Url
Toolbox
-
The System Information Library for Node.JS, also known as npm package "systeminformation," is an open source collection of functions that retrieve detailed hardware, system, and operating system information. This library is commonly used by developers and system administrators to gather crucial information about their systems in order to troubleshoot issues and optimize performance. With its user-friendly interface and ease of use, systeminformation has become a popular tool within the Node.JS community.
However, like many open source libraries, systeminformation is not immune to vulnerabilities. Recently, a command injection vulnerability was discovered in versions of systeminformation prior to version 5.3.1. This vulnerability, designated as CVE-2021-21315, could allow an attacker to execute arbitrary commands on the affected system by injecting malicious code in service parameters that are passed to functions such as si.inetLatency(), si.inetChecksite(), si.services(), si.processLoad(), and more.
If this vulnerability is exploited, attackers could potentially gain unauthorized access to sensitive information on the affected system, execute malicious code, and even take control of the system. This poses a serious threat to the security and confidentiality of sensitive information, especially for businesses and organizations that store critical data on their systems.
As the digital landscape continues to evolve, it is increasingly important for organizations to stay informed and proactive about potential vulnerabilities in their digital assets. Fortunately, with the pro features of s4e.io, it is easy to quickly and easily stay up-to-date on the latest security threats and vulnerabilities, allowing businesses to stay one step ahead of potential attackers. Stay safe and secure with the power of the s4e.io platform.
REFERENCES
- https://www.npmjs.com/package/systeminformation
- https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-2m8v-572m-ff2v
- https://github.com/sebhildebrandt/systeminformation/commit/07daa05fb06f24f96297abaa30c2ace8bfd8b525
- lists.apache.org: [cordova-issues] 20210224 [GitHub] [cordova-cli] iva2k opened a new issue #549: update systeminformation package to >=5.3.1 mailing-list
- https://security.netapp.com/advisory/ntap-20210312-0007/