Skip to content

Prototype Pollution in systeminformation

Moderate severity GitHub Reviewed Published Nov 27, 2020 in sebhildebrandt/systeminformation • Updated Jan 9, 2023

Package

npm systeminformation (npm)

Affected versions

< 4.30.5

Patched versions

4.30.5

Description

Impact

command injection vulnerability by prototype pollution

Patches

Problem was fixed with a rewrite of shell sanitations to avoid prototyper pollution problems. Please upgrade to version >= 4.30.2

Workarounds

If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to si.inetChecksite()

For more information

If you have any questions or comments about this advisory:

References

@sebhildebrandt sebhildebrandt published to sebhildebrandt/systeminformation Nov 27, 2020
Reviewed Nov 27, 2020
Published to the GitHub Advisory Database Nov 27, 2020
Last updated Jan 9, 2023

Severity

Moderate

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(78th percentile)

Weaknesses

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. Learn more on MITRE.

Modification of Assumed-Immutable Data (MAID)

The product does not properly protect an assumed-immutable element from being modified by an attacker. Learn more on MITRE.

CVE ID

CVE-2020-26245

GHSA ID

GHSA-4v2w-h9jm-mqjg

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.