Passing User Paramters to Systeminformation
For most of the applications that are using systeminformation, there is no reason to worry. But be aware! If you are using inetLatency(), inetChecksite(), services(), processLoad(), versions() with arbitrary untrusted user input, you should pay extra attention! We are doing a lot of input sanitation for those functions inside this package but we cannot handle all cases!
This can lead to serious impact on your servers!
We highly recommend to always upgrade to the latest version of our package. We maintain security updates for version 5 AND also version 4. For version 4 you can install latest version by placing "systeminformation": "^4" in your package.json (dependencies) and run npm install
Command Injection Vulnerability
Affected versions:
< 5.6.13 and < 4.34.21
Date: 2021-05-04
CVE indentifier -
Impact
We had an issue that there was a possibility to perform a potential command injection possibility by passing a non string values as a parameter to the dockerImagesInspect(), dockerContainerInspect(), dockerContainerProcesses().
Patch
Problem was fixed with parameter checking. Please upgrade to version >= 5.6.13 (or >= 4.34.21 if you are using version 4).
Workaround
If you cannot upgrade, be sure to check or sanitize parameter strings that are passed to dockerImagesInspect(), dockerContainerInspect(), dockerContainerProcesses() (string only)
Command Injection Vulnerability
Affected versions:
< 5.6.11 and < 4.34.20
Date: 2021-04-08
CVE indentifier -
Impact
We had an issue that there was a possibility to perform a potential command injection possibility by passing a non string values as a parameter to the versions().
Patch
Problem was fixed with parameter checking. Please upgrade to version >= 5.6.11 (or >= 4.34.20 if you are using version 4).
Workaround
If you cannot upgrade, be sure to check or sanitize parameter strings that are passed to versions() (string only)
Command Injection Vulnerability
Affected versions:
< 5.6.4 and < 4.34.17
Date: 2021-03-15
CVE indentifier CVE-2021-21388
Impact
We had an issue that there was a possibility to perform a potential command injection possibility by passing a manipulated string prototype as a parameter to the following functions. Affected commands: inetLatency(), inetChecksite(), services(), processLoad().
Patch
Problem was fixed with additional parameter checking. Please upgrade to version >= 5.6.4 (or >= 4.34.17 if you are using version 4).
Workaround
If you cannot upgrade, be sure to check or sanitize parameter strings that are passed to inetLatency(), inetChecksite(), services(), processLoad() (string only)
Insufficient File Scheme Validation
Affected versions:
< 5.3.2 and < 4.34.12
Date: 2021-02-15
CVE indentifier -
Impact
We had an issue that there was a possibility to run inetChecksite against local files due to improper file scheme validation. Affected commands: inetLatency(), inetChecksite().
Patch
Problem was fixed with additional parameter checking. Please upgrade to version >= 5.3.2 (or >= 4.34.12 if you are using version 4).
Workaround
If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to inetLatency(), inetChecksite() (sanitize `file://` parameter)
Command Injection Vulnerability
Affected versions:
< 5.3.1 and < 4.34.11
Date: 2021-02-14
CVE indentifier CVE-2021-21315
Impact
We had an issue that there was a possibility to perform a potential command injection possibility by passing a manipulated array as a parameter to the following functions. Affected commands: inetLatency(), inetChecksite(), services(), processLoad().
Patch
Problem was fixed with additional parameter checking. Please upgrade to version >= 5.3.1 (or >= 4.34.11 if you are using version 4).
Workaround
If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to inetLatency(), inetChecksite(), services(), processLoad() (string only)
DOS Injection Vulnerability
Affected versions:
< 5.2.6 and < 4.34.10
Date: 2021-02-12
CVE indentifier -
Impact
Here we had an issue that there was a possibility to perform a ping command execution for too long time. Affected commands: inetLatency().
Patch
Problem was fixed with a shell string sanitation fix. Please upgrade to version >= 5.2.6 (or >= 4.34.10 if you are using version 4).
Workaround
If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to inetLatency() (no spaces)
Command Injection Vulnerability
Affected versions:
< 4.31.1
Date: 2020-12-11
CVE indentifier CVE-2020-26274, CVE-2020-28448
Impact
Here we had an issue that there was a possibility to inject commands to the command line of your machine via systeminformation. Affected commands: inetLatency().
Patch
Problem was fixed with a shell string sanitation fix. Please upgrade to version >= 4.31.1
Workaround
If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to inetLatency()
Command Injection Vulnerability - Prototype Pollution
Affected versions:
< 4.30.5
Date: 2020-11-26
CVE indentifier CVE-2020-26245
Impact
Here we had an issue that there was a possibility to inject commands to the command line by property pollution on the string object. Affected commands: inetChecksite().
Patch
Problem was fixed with a shell string sanitation fix as well as handling prototype polution. Please upgrade to version >= 4.30.5
Workaround
If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to inetChecksite()
Command Injection Vulnerability
Affected versions:
< 4.27.11
Date: 2020-10-26
CVE indentifier CVE-2020-7752
Impact
Here we had an issue that there was a possibility to inject commands to the command line of your machine via systeminformation. Affected commands: inetChecksite().
Patch
Problem was fixed with a shell string sanitation fix. Please upgrade to version >= 4.27.11
Workaround
If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to inetChecksite()