NodeJS System Information Library Command Injection (CVE-2021-21315)

high Nessus Plugin ID 164017

Synopsis

The remote host contains a web application framework library that is affected by a command injection vulnerability.

Description

The remote host contains a systeminformation npm module that is prior to 5.3.1. It is, therefore, affected by a command injection vulnerability. The System Information Library for Node.JS (npm package 'systeminformation') is an open source collection of functions to retrieve detailed hardware, system and OS information. In systeminformation before version 5.3.1 there is a command injection vulnerability. The vulnerability was fixed in version 5.3.1. As a workaround instead of upgrading, be sure to check or sanitize service parameters that are passed to si.inetLatency(), si.inetChecksite(), si.services(), or si.processLoad()... to only allow strings and reject any arrays. String sanitization works as expected.

Solution

Upgrade to the systeminformation module to 5.3.1 or later.

See Also

https://security.netapp.com/advisory/ntap-20210312-0007/

http://www.nessus.org/u?103e42ce

http://www.nessus.org/u?5b30aacc

Plugin Details

Severity: High

ID: 164017

File Name: nodejs_cve-2021-21315.nbin

Version: 1.1

Type: remote

Family: CGI abuses

Published: 8/10/2022

Updated: 8/10/2022

Risk Information

CVSS Score Rationale: Tenable confirms the access vector is network, not local

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: High

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: manual

CVSS v3

Risk Factor: High

Base Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: cpe:2.3:a:systeminformation:systeminformation:*:*:*:*:*:*:*:*

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2/14/2022

Vulnerability Publication Date: 2/14/2022

Reference Information

CVE: CVE-2021-21315