systeminformation

Security Advisories

Passing User Paramters to Systeminformation

For most of the applications that are using systeminformation, there is no reason to worry. But be aware! If you are using inetLatency(), inetChecksite(), services(), processLoad(), versions() with arbitrary untrusted user input, you should pay extra attention! We are doing a lot of input sanitation for those functions inside this package but we cannot handle all cases!

This can lead to serious impact on your servers!

We highly recommend to always upgrade to the latest version of our package. We maintain security updates for version 5 AND also version 4. For version 4 you can install latest version by placing "systeminformation": "^4" in your package.json (dependencies) and run npm install

Command Injection Vulnerability

Affected versions: < 5.6.11 and < 4.34.20
Date: 2021-04-08
CVE indentifier -

Impact

We had an issue that there was a possibility to perform a potential command injection possibility by passing a non string values as a parameter to the versions().

Patch

Problem was fixed with parameter checking. Please upgrade to version >= 5.6.11 (or >= 4.34.20 if you are using version 4).

Workarround

If you cannot upgrade, be sure to check or sanitize parameter strings that are passed to versions() (string only)

Command Injection Vulnerability

Affected versions: < 5.6.4 and < 4.34.17
Date: 2021-03-15
CVE indentifier CVE-2021-21388

Impact

We had an issue that there was a possibility to perform a potential command injection possibility by passing a manipulated string prototype as a parameter to the following functions. Affected commands: inetLatency(), inetChecksite(), services(), processLoad().

Patch

Problem was fixed with additional parameter checking. Please upgrade to version >= 5.6.4 (or >= 4.34.17 if you are using version 4).

Workarround

If you cannot upgrade, be sure to check or sanitize parameter strings that are passed to inetLatency(), inetChecksite(), services(), processLoad() (string only)

Insufficient File Scheme Validation

Affected versions: < 5.3.2 and < 4.34.12
Date: 2021-02-15
CVE indentifier -

Impact

We had an issue that there was a possibility to run inetChecksite against local files due to improper file scheme validation. Affected commands: inetLatency(), inetChecksite().

Patch

Problem was fixed with additional parameter checking. Please upgrade to version >= 5.3.2 (or >= 4.34.12 if you are using version 4).

Workarround

If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to inetLatency(), inetChecksite() (sanitize `file://` parameter)

Command Injection Vulnerability

Affected versions: < 5.3.1 and < 4.34.11
Date: 2021-02-14
CVE indentifier CVE-2021-21315

Impact

We had an issue that there was a possibility to perform a potential command injection possibility by passing a manipulated array as a parameter to the following functions. Affected commands: inetLatency(), inetChecksite(), services(), processLoad().

Patch

Problem was fixed with additional parameter checking. Please upgrade to version >= 5.3.1 (or >= 4.34.11 if you are using version 4).

Workarround

If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to inetLatency(), inetChecksite(), services(), processLoad() (string only)

DOS Injection Vulnerability

Affected versions: < 5.2.6 and < 4.34.10
Date: 2021-02-12
CVE indentifier -

Impact

Here we had an issue that there was a possibility to perform a ping command execution for too long time. Affected commands: inetLatency().

Patch

Problem was fixed with a shell string sanitation fix. Please upgrade to version >= 5.2.6 (or >= 4.34.10 if you are using version 4).

Workarround

If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to inetLatency() (no spaces)

Command Injection Vulnerability

Affected versions: < 4.31.1
Date: 2020-12-11
CVE indentifier CVE-2020-26274, CVE-2020-28448

Impact

Here we had an issue that there was a possibility to inject commands to the command line of your machine via systeminformation. Affected commands: inetLatency().

Patch

Problem was fixed with a shell string sanitation fix. Please upgrade to version >= 4.31.1

Workarround

If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to inetLatency()

Command Injection Vulnerability - Prototype Pollution

Affected versions: < 4.30.5
Date: 2020-11-26
CVE indentifier CVE-2020-26245

Impact

Here we had an issue that there was a possibility to inject commands to the command line by property pollution on the string object. Affected commands: inetChecksite().

Patch

Problem was fixed with a shell string sanitation fix as well as handling prototype polution. Please upgrade to version >= 4.30.5

Workarround

If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to inetChecksite()

Command Injection Vulnerability

Affected versions: < 4.27.11
Date: 2020-10-26
CVE indentifier CVE-2020-7752

Impact

Here we had an issue that there was a possibility to inject commands to the command line of your machine via systeminformation. Affected commands: inetChecksite().

Patch

Problem was fixed with a shell string sanitation fix. Please upgrade to version >= 4.27.11

Workarround

If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to inetChecksite()