CVE-2021-21315
Published: 16 February 2021
Summary
CVE-2021-21315 is a high-severity OS Command Injection (CWE-78) vulnerability in Systeminformation Systeminformation. Its CVSS base score is 7.1 (High).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
The vulnerability is a command injection flaw (CWE-78) in the systeminformation npm package, an open-source Node.js library used to retrieve hardware, system, and OS details. It affects all versions prior to 5.3.1 and is exposed through functions that accept untrusted input for system queries.
An attacker able to supply or influence parameters to calls such as si.inetLatency(), si.inetChecksite(), si.services(), or si.processLoad() can inject operating-system commands. The CVSS 7.1 vector (AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N) indicates that local, unauthenticated execution can alter integrity outside the intended security boundary, even though confidentiality and availability impacts are not scored.
The GitHub Security Advisory and accompanying commit state that the issue is resolved in version 5.3.1. As a workaround, callers must enforce that only string values are passed to the affected functions and must reject arrays; standard string sanitization is reported to be effective. NetApp and Apache Cordova lists reference the same upstream fix for downstream products.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-0527
Vulnerability details
The System Information Library for Node.JS (npm package "systeminformation") is an open source collection of functions to retrieve detailed hardware, system and OS information. In systeminformation before version 5.3.1 there is a command injection vulnerability. Problem was fixed in version…
more
5.3.1. As a workaround instead of upgrading, be sure to check or sanitize service parameters that are passed to si.inetLatency(), si.inetChecksite(), si.services(), si.processLoad() ... do only allow strings, reject any arrays. String sanitation works as expected.
- CWE(s)
- KEV Date Added
- 18 January 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of untrusted parameters passed to si.inetLatency(), si.services(), etc., blocking the command-injection vectors described in the CVE.
Mandates prompt installation of the systeminformation 5.3.1 patch that eliminates the command-injection flaw in the affected functions.
Enforces configuration settings that restrict callers to string-only inputs and reject arrays for the vulnerable APIs, implementing the documented workaround.