Detections
Analytics
NodeJS System Information Library Command Injection (CVE-2021-21315)
high Nessus Plugin ID 164017
Language:
Synopsis
The remote host contains a web application framework library that is affected by a command injection vulnerability.Description
The remote host contains a systeminformation npm module that is prior to 5.3.1. It is, therefore, affected by a command injection vulnerability. The System Information Library for Node.JS (npm package 'systeminformation') is an open source collection of functions to retrieve detailed hardware, system and OS information. In systeminformation before version 5.3.1 there is a command injection vulnerability. The vulnerability was fixed in version 5.3.1. As a workaround instead of upgrading, be sure to check or sanitize service parameters that are passed to si.inetLatency(), si.inetChecksite(), si.services(), or si.processLoad()... to only allow strings and reject any arrays. String sanitization works as expected.Solution
Upgrade to the systeminformation module to 5.3.1 or later.See Also
http://www.nessus.org/u?103e42ce
Plugin Details
Severity: High
ID: 164017
File Name: nodejs_cve-2021-21315.nbin
Version: 1.23
Type: remote
Family: CGI abuses
Published: 8/10/2022
Updated: 7/17/2024
Supported Sensors: Nessus
Risk Information
CVSS Score Rationale: Tenable confirms the access vector is network, not local
VPR
Risk Factor: High
Score: 7.4
CVSS v2
Risk Factor: High
Base Score: 7.5
Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS Score Source: manual
CVSS v3
Risk Factor: High
Base Score: 8.8
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Vulnerability Information
CPE: cpe:/a:systeminformation:systeminformation
Exploit Available: true
Exploit Ease: Exploits are available
Patch Publication Date: 2/14/2022
Vulnerability Publication Date: 2/14/2022
CISA Known Exploited Vulnerability Due Dates: 2/1/2022
Reference Information
CVE: CVE-2021-21315