systeminformation

Security Advisories

Insufficient File Scheme Validation

Affected versions: < 5.3.2 and < 4.34.12
Date: 2021-02-15
CVE indentifier -

Impact

We had an issue that there was a possibility to run inetChecksite against local files due to improper file scheme validation. Affected commands: inetLatency(), inetChecksite().

Patch

Problem was fixed with additional parameter checking. Please upgrade to version >= 5.3.2 (or >= 4.34.12 if you are using version 4).

Workarround

If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to inetLatency(), inetChecksite() (sanitize `file://` parameter)

Command Injection Vulnerability

Affected versions: < 5.3.1 and < 4.34.11
Date: 2021-02-14
CVE indentifier CVE-2021-21315

Impact

We had an issue that there was a possibility to perform a potential command injection possibility by passing a manipulated array as a parameter to the following functions. Affected commands: inetLatency(), inetChecksite(), services(), processLoad().

Patch

Problem was fixed with additional parameter checking. Please upgrade to version >= 5.3.1 (or >= 4.34.11 if you are using version 4).

Workarround

If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to inetLatency(), inetChecksite(), services(), processLoad() (string only)

DOS Injection Vulnerability

Affected versions: < 5.2.6 and < 4.34.10
Date: 2021-02-12
CVE indentifier -

Impact

Here we had an issue that there was a possibility to perform a ping command execution for too long time. Affected commands: inetLatency().

Patch

Problem was fixed with a shell string sanitation fix. Please upgrade to version >= 5.2.6 (or >= 4.34.10 if you are using version 4).

Workarround

If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to inetLatency() (no spaces)

Command Injection Vulnerability

Affected versions: < 4.31.1
Date: 2020-12-11
CVE indentifier CVE-2020-26274, CVE-2020-28448

Impact

Here we had an issue that there was a possibility to inject commands to the command line of your machine via systeminformation. Affected commands: inetLatency().

Patch

Problem was fixed with a shell string sanitation fix. Please upgrade to version >= 4.31.1

Workarround

If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to inetLatency()

Command Injection Vulnerability - Prototype Pollution

Affected versions: < 4.30.5
Date: 2020-11-26
CVE indentifier CVE-2020-26245

Impact

Here we had an issue that there was a possibility to inject commands to the command line by property pollution on the string object. Affected commands: inetChecksite().

Patch

Problem was fixed with a shell string sanitation fix as well as handling prototype polution. Please upgrade to version >= 4.30.5

Workarround

If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to inetChecksite()

Command Injection Vulnerability

Affected versions: < 4.27.11
Date: 2020-10-26
CVE indentifier CVE-2020-7752

Impact

Here we had an issue that there was a possibility to inject commands to the command line of your machine via systeminformation. Affected commands: inetChecksite().

Patch

Problem was fixed with a shell string sanitation fix. Please upgrade to version >= 4.27.11

Workarround

If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to inetChecksite()