CVE-2021-21388
HIGH8.9EPSS 0.62%Command Injection Vulnerability in systeminformation
發布日:2021/4/6修改日:2026/3/13
描述
### Impact command injection vulnerability ### Patches Problem was fixed with a parameter check. Please upgrade to version >= 5.6.4 ### Workarounds If you cannot upgrade, be sure to check or sanitize service parameters that are passed to si.inetLatency(), si.inetChecksite(), si.services(), si.processLoad() ... do only allow strings, reject any arrays. String sanitation works as expected.
受影響套件(2)
- Debian/node-systeminformationfrom 0
- npm/systeminformationfrom 0, < 5.6.4
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.9 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:H |
參考連結(7)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-21388
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2021-21388
- WEBhttps://github.com/sebhildebrandt/systeminformation/commit/01ef56cd5824ed6da1c11b37013a027fdef67524
- WEBhttps://github.com/sebhildebrandt/systeminformation/commit/0be6fcd575c05687d1076d5cd6d75af2ebae5a46
- WEBhttps://github.com/sebhildebrandt/systeminformation/commit/7922366d707de7f20995fc8e30ac3153636bf35f
- WEBhttps://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-jff2-qjw8-5476
- WEBhttps://www.npmjs.com/package/systeminformation