QID 150503

Date Published: 2022-04-28

QID 150503: NodeJS Command Injection Vulnerability (CVE-2021-21315)

Node.js is an open-source, cross-platform, back-end JavaScript runtime environment that runs on the V8 engine and executes JavaScript code outside a web browser.

The System Information Library for Node.JS (npm package "systeminformation") is an open source collection of functions to retrieve detailed hardware, system and OS information. In systeminformation before version 5.3.1 there is a command injection vulnerability.

Affected Versions:
System Information Library prior to 5.3.1

QID Detection Logic (Unauthenticated):
This QID sends a HTTP GET request to "api/getServices" endpoint with specially crafted Out of Band payload inside "name" where vulnerable servers will make a DNS query that will trigger Qualys Periscope detection mechanism.

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the target system.

  • CVSS V3 rated as High - 7.8 severity.
  • CVSS V2 rated as Medium - 4.6 severity.
    • Solution
    Customers are advised to upgrade to System Information Library 5.3.1 or later version to remediate the vulnerability. For more information please refer to Security advisory.
    As a workaround instead of upgrading, be sure to check or sanitize service parameters that are passed to si.inetLatency(), si.inetChecksite(), si.services(), si.processLoad() ... do only allow strings, reject any arrays. String sanitation works as expected.
    Vendor References

    CVEs related to QID 150503

    CVE-2021-21315 |
    Software Advisories
    Advisory ID Software Component Link
    Security Advisory URL Logo github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-2m8v-572m-ff2v
    By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].