CVE-2021-21315

Description

The System Information Library for Node.JS (npm package "systeminformation") is an open source collection of functions to retrieve detailed hardware, system and OS information. In systeminformation before version 5.3.1 there is a command injection vulnerability. Problem was fixed in version 5.3.1. As a workaround instead of upgrading, be sure to check or sanitize service parameters that are passed to si.inetLatency(), si.inetChecksite(), si.services(), si.processLoad() ... do only allow strings, reject any arrays. String sanitation works as expected.

NVD
Severity: HIGH
CVE ID: CVE-2021-21315
CVSS Score: 7.8
CVSS Metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

GitHub, Inc.
Severity: HIGH
CVE ID: CVE-2021-21315
CVSS Score: 7.1
CVSS Metrics: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

Refrence: NVD MITRE

Proof Of Concept

Nuclei Templates for CVE-2021-21315

Refrence: Project Discovery GitHub

ForbiddenProgrammer

CVE 2021-21315 PoC

Refrence: GitHub

cherrera0001

Refrence: GitHub

MazX0p

systeminformation

Refrence: GitHub

alikarimi999

Refrence: GitHub

G01d3nW01f

rust noob tried write easy exploit code with rust lang

Refrence: GitHub

xMohamed0

Refrence: GitHub

Description​

Proof Of Concept​

Description

Proof Of Concept