daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Enhancement: cves/2021/CVE-2021-21315.yaml by mp

patch-1
MostInterestingBotInTheWorld 2022-06-27 13:06:05 -04:00
parent ab7d54fb05
commit e52fc20cce
1 changed files with 6 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
cves/2021/CVE-2021-21315.yaml
View File

@ -1,20 +1,22 @@
id: CVE-2021-21315
info:
name: Node.js Systeminformation Command Injection
name: Node.JS System Information Library <5.3.1 - Remote Command Injection
author: pikpikcu
severity: high
description: The System Information Library for Node.JS (npm package "systeminformation") is an open source collection of functions to retrieve detailed hardware, system and OS information. In systeminformation before version 5.3.1 there is a command injection vulnerability. Problem was fixed in version 5.3.1. As a workaround instead of upgrading, be sure to check or sanitize service parameters that are passed to si.inetLatency(), si.inetChecksite(), si.services(), si.processLoad() ... do only allow strings, reject any arrays. String sanitation works as expected.
description: Node.JS System Information Library System before version 5.3.1 is susceptible to remote command injection. Node.JS (npm package "systeminformation") is an open source collection of functions to retrieve detailed hardware, system and OS information.
reference:
- https://github.com/ForbiddenProgrammer/CVE-2021-21315-PoC
- https://security.netapp.com/advisory/ntap-20210312-0007/
- https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-2m8v-572m-ff2v
- https://www.npmjs.com/package/systeminformation
- https://nvd.nist.gov/vuln/detail/CVE-2021-21315
classification:
cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 7.8
cve-id: CVE-2021-21315
cwe-id: CWE-78
remediation: Upgrade to version 5.3.1. As a workaround instead of upgrading, be sure to check or sanitize service parameters that are passed to si.inetLatency(), si.inetChecksite(), si.services(), si.processLoad() ... do only allow strings, reject any arrays. String sanitation works as expected
tags: nodejs,cve,cve2021,cisa
requests:
@ -42,3 +44,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/06/27