logo
DATABASE RESOURCES PRICING ABOUT US

Command Injection

Description

## Overview The `systeminformation` package is an open source collection of functions to retrieve detailed hardware, system and OS information. In affected versions of `systeminformation` there is a command injection vulnerability. As a workaround instead of upgrading, be sure to check or sanitize service parameters that are passed to `si.inetLatency()`, `si.inetChecksite()`, `si.services()`, `si.processLoad()` ... do only allow strings, reject any arrays. String sanitation works as expected. ## Recommendation Upgrade to version 5.3.1 or later ## References - [GitHub Advisory](https://github.com/advisories/GHSA-2m8v-572m-ff2v) - [CVE](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21315)


Affected Software


CPE Name Name Version
systeminformation 5.3.1

Related