CVE-2021-21315
Description
The System Information Library for Node.JS (npm package "systeminformation") is an open source collection of functions to retrieve detailed hardware, system and OS information. In systeminformation before version 5.3.1 there is a command injection vulnerability. Problem was fixed in version 5.3.1. As a workaround instead of upgrading, be sure to check or sanitize service parameters that are passed to si.inetLatency(), si.inetChecksite(), si.services(), si.processLoad() ... do only allow strings, reject any arrays. String sanitation works as expected.
Severity: HIGH
CVE ID: CVE-2021-21315
CVSS Score: 7.8
CVSS Metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity: HIGH
CVE ID: CVE-2021-21315
CVSS Score: 7.1
CVSS Metrics: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
Proof Of Concept
Nuclei Templates for CVE-2021-21315
Refrence: Project Discovery GitHub
ForbiddenProgrammer
CVE 2021-21315 PoC
Refrence: GitHub
cherrera0001
Refrence: GitHub
MazX0p
systeminformation
Refrence: GitHub
alikarimi999
Refrence: GitHub
G01d3nW01f
rust noob tried write easy exploit code with rust lang
Refrence: GitHub
xMohamed0
Refrence: GitHub