CVE-2021-21315
HIGH7.8⚠ KEVEPSS 94.0%Command Injection Vulnerability
發布日:2021/2/16修改日:2026/3/13加入 CISA KEV 日:2022/1/18
描述
### Impact command injection vulnerability ### Patches Problem was fixed with a parameter check. Please upgrade to version >= 5.3.1 ### Workarounds If you cannot upgrade, be sure to check or sanitize service parameters that are passed to si.inetLatency(), si.inetChecksite(), si.services(), si.processLoad() ... do only allow strings, reject any arrays. String sanitation works as expected.
受影響套件(2)
- Debian/node-systeminformationfrom 0
- npm/systeminformationfrom 0, < 5.3.1
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.8 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H |
參考連結(10)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-21315
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2021-21315
- PATCHhttps://github.com/sebhildebrandt/systeminformation
- WEBhttps://github.com/sebhildebrandt/systeminformation/commit/07daa05fb06f24f96297abaa30c2ace8bfd8b525
- WEBhttps://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-2m8v-572m-ff2v
- WEBhttps://lists.apache.org/thread.html/r8afea9a83ed568f2647cccc6d8d06126f9815715ddf9a4d479b26b05@%3Cissues.cordova.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/r8afea9a83ed568f2647cccc6d8d06126f9815715ddf9a4d479b26b05%40%3Cissues.cordova.apache.org%3E
- WEBhttps://security.netapp.com/advisory/ntap-20210312-0007
- WEBhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-21315
- WEBhttps://www.npmjs.com/package/systeminformation