CVE-2020-26245

Опубликовано: 27 нояб. 2020

Источник: nvd

CVSS3: 8.1

CVSS3: 9.8

CVSS2: 7.5

EPSS Низкий

Описание

npm package systeminformation before version 4.30.5 is vulnerable to Prototype Pollution leading to Command Injection. The issue was fixed with a rewrite of shell sanitations to avoid prototyper pollution problems. The issue is fixed in version 4.30.5. If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to si.inetChecksite().

Ссылки

https://github.com/sebhildebrandt/systeminformation/commit/8113ff0e87b2f422a5756c48f1057575e73af016
Patch
Third Party Advisory
https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-4v2w-h9jm-mqjg
Third Party Advisory
https://github.com/sebhildebrandt/systeminformation/commit/8113ff0e87b2f422a5756c48f1057575e73af016
Patch
Third Party Advisory
https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-4v2w-h9jm-mqjg
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:systeminformation:systeminformation:*:*:*:*:*:node.js:*:*

Версия до 4.30.5 (исключая)

EPSS

Процентиль: 78%

0.0113

Низкий

8.1 High

CVSS3

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-78

Связанные уязвимости

GHSA-4v2w-h9jm-mqjg

CVSS3: 8.1

github

около 5 лет назад

Prototype Pollution in systeminformation

EPSS

Процентиль: 78%

0.0113

Низкий

8.1 High

CVSS3

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-78