SNYK-JS-SYSTEMINFORMATION-1050436

SNYK-JS-SYSTEMINFORMATION-1050436 PUBLISHED CVSS 8.199999809265137 HIGH

## Overview [systeminformation](https://www.npmjs.com/package/systeminformation) is a simple system and OS information library. Affected versions of this package are vulnerable to Command Injection. The `sanitizeShellString` function does not sanitize quotation marks, which could be leveraged by an attacker to execute arbitrary commands. ### PoC ``` const si = require('systeminformation'); si.inetLatency("`<OS command>`"); ``` ## Remediation Upgrade `systeminformation` to version 4.31.1 or higher. ## References - [GitHub Additional Information](https://github.com/sebhildebrandt/systeminformation/blob/4f98f2ff208f355b7e242661cf9c4594a702dbec/lib/internet.js#L119) - [GitHub Commit](https://github.com/sebhildebrandt/systeminformation/commit/1faadcbf68f1b1fdd5eb2054f68fc932be32ac99)

Risk Scores

CVSS v3.1

8.199999809265137

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:P/RL:O/RC:C

Affected Products

Vendor	Product	Versions
		0

Timeline

Dec 11, 2020 CVE Updated
Dec 14, 2020 CVE Published

References

Open in Interactive Console →