RCE in Sebhildebrandt Systeminformation
CVE-2021-21315
The System Information Library for Node.JS (npm package "systeminformation") is an open source collection of functions to retrieve detailed hardware, system and OS information. In systeminformation before version 5.3.1 there is a command i…
Vulnerability class: Command Injection (OS Command Injection)
EPSS: 0.940 (99.9th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 7.1 (High). Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N.
Affected products
- Sebhildebrandt Systeminformation — versions < 5.3.1
Weakness classification (CWE)
CISA KEV (Known Exploited Vulnerabilities)
This CVE is on the CISA KEV catalog, added on . CISA KEV inclusion means CISA has confirmed in-the-wild exploitation; US federal agencies are required to remediate within a published due date.
BOD 22-01 due date: .
Required action: Apply updates per vendor instructions.
Public proof-of-concept exploits
References
- www.npmjs.com/package/systeminformation (x_refsource_MISC)
- github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-2m8v-572m-… (x_refsource_CONFIRM)
- github.com/sebhildebrandt/systeminformation/commit/07daa05fb06f24f96297abaa30c2… (x_refsource_MISC)
- [cordova-issues] 20210224 [GitHub] [cordova-cli] iva2k opened a new issue #549: update systeminformation package to >=5.3.1 (mailing-list, x_refsource_MLIST)
- security.netapp.com/advisory/ntap-20210312-0007/ (x_refsource_CONFIRM)
Frequently asked questions
- What is CVE-2021-21315?
- CVE-2021-21315 is a high-severity vulnerability in Sebhildebrandt Systeminformation, classified under OS Command Injection. CVSS score: 7.1/10. Published 2021-02-16.
- How severe is CVE-2021-21315?
- High severity. CVSS v3 base score is 7.1 out of 10.
- Is CVE-2021-21315 known to be exploited?
- Yes. CVE-2021-21315 is listed in the CISA Known Exploited Vulnerabilities catalog (added 2022-01-18), indicating it is being actively exploited. 63 public proof-of-concept repositories are indexed.