Описание
systeminformation is a System and OS information library for node.js. Versions prior to 5.31.0 are vulnerable to command injection via unsanitized locate output in versions(). Version 5.31.0 fixes the issue.
A flaw was found in systeminformation, a System and OS information library for node.js. This vulnerability allows a local attacker with low privileges to inject and execute arbitrary commands due to unsanitized output from the locate command within the versions() function. Successful exploitation can lead to high impact on confidentiality, integrity, and availability of the affected system.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Developer Hub | rhdh/rhdh-hub-rhel9 | Affected |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
EPSS
8.8 High
CVSS3
Связанные уязвимости
systeminformation is a System and OS information library for node.js. Versions prior to 5.31.0 are vulnerable to command injection via unsanitized `locate` output in `versions()`. Version 5.31.0 fixes the issue.
Command Injection via Unsanitized `locate` Output in `versions()` — systeminformation
EPSS
8.8 High
CVSS3