SNYK-JS-SYSTEMINFORMATION-1050436
## Overview [systeminformation](https://www.npmjs.com/package/systeminformation) is a simple system and OS information library. Affected versions of this package are vulnerable to Command Injection. The `sanitizeShellString` function does not sanitize quotation marks, which could be leveraged by an attacker to execute arbitrary commands. ### PoC ``` const si = require('systeminformation'); si.inetLatency("`<OS command>`"); ``` ## Remediation Upgrade `systeminformation` to version 4.31.1 or higher. ## References - [GitHub Additional Information](https://github.com/sebhildebrandt/systeminformation/blob/4f98f2ff208f355b7e242661cf9c4594a702dbec/lib/internet.js#L119) - [GitHub Commit](https://github.com/sebhildebrandt/systeminformation/commit/1faadcbf68f1b1fdd5eb2054f68fc932be32ac99)
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| 0 |
Timeline
- Dec 11, 2020 CVE Updated
- Dec 14, 2020 CVE Published
References
- https://security.snyk.io/vuln/SNYK-JS-SYSTEMINFORMATION-1050436 advisory
- https://learn.snyk.io/lesson/malicious-code-injection/ technical
- https://www.npmjs.com/package/systeminformation vendor
- https://github.com/sebhildebrandt/systeminformation/blob/4f98f2ff208f355b7e242661cf9c4594a702dbec/lib/internet.js#L119 technical
- https://github.com/sebhildebrandt/systeminformation/commit/1faadcbf68f1b1fdd5eb2054f68fc932be32ac99 patch