Lucene search

K
nessusThis script is Copyright (C) 2022-2024 and is owned by Tenable, Inc. or an Affiliate thereof.NODEJS_CVE-2021-21315.NBIN
HistoryAug 10, 2022 - 12:00 a.m.

NodeJS System Information Library Command Injection (CVE-2021-21315)

2022-08-1000:00:00
This script is Copyright (C) 2022-2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
150

The remote host contains a systeminformation npm module that is prior to 5.3.1. It is, therefore, affected by a command injection vulnerability. The System Information Library for Node.JS (npm package ‘systeminformation’) is an open source collection of functions to retrieve detailed hardware, system and OS information. In systeminformation before version 5.3.1 there is a command injection vulnerability. The vulnerability was fixed in version 5.3.1. As a workaround instead of upgrading, be sure to check or sanitize service parameters that are passed to si.inetLatency(), si.inetChecksite(), si.services(), or si.processLoad()… to only allow strings and reject any arrays. String sanitization works as expected.

Binary data nodejs_cve-2021-21315.nbin
Related for NODEJS_CVE-2021-21315.NBIN