CVE-2021-21388

Name of the Vulnerable Software and Affected Versions systeminformation versions prior to 5.6.4

Description A command injection issue has been discovered in the systeminformation library for Node.js. This issue is related to errors in passing data to parameters of services such as si.inetLatency, si.inetChecksite, si.services, and si.processLoad. Exploitation of this issue could allow a remote attacker to execute arbitrary code. The problem has been fixed with a parameter check on user input.

Recommendations For versions prior to 5.6.4, upgrade to version >= 5.6.4. If you cannot upgrade, check or sanitize service parameters that are passed to functions like si.inetLatency(), si.inetChecksite(), si.services(), and si.processLoad(), allowing only strings and rejecting any arrays.