mike/systeminformation
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
systeminformation/docs/v4/security.html
Sebastian Hildebrandt 95ed380879 chore: updated copyright year
2026-01-03 10:30:21 +01:00

253 lines
14 KiB
HTML
Raw Blame History

<!doctype html>
<html lang="en">
<head>
<!-- Required meta tags -->
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
<!-- CSS -->
<link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.1.3/css/bootstrap.min.css" integrity="sha384-MCw98/SFnGE8fJT3GXwEOngsV7Zt27NXFoaoApmYm81iuXoPkFOJwJ8ERdknLPMO" crossorigin="anonymous">
<link rel="stylesheet" href="https://pro.fontawesome.com/releases/v5.6.3/css/all.css" integrity="sha384-LRlmVvLKVApDVGuspQFnRQJjkv0P7/YFrw84YYQtmYG4nK8c+M+NlmYDCv0rKWpG" crossorigin="anonymous">
<link rel="stylesheet" href="styles.css">
<script src="main.js"></script>
<!-- Favicon -->
<link rel="icon" type="image/png" sizes="192x192" href="/assets/android-icon-192x192.png">
<link rel="icon" type="image/png" sizes="32x32" href="/assets/favicon-32x32.png">
<link rel="icon" type="image/png" sizes="96x96" href="/assets/favicon-96x96.png">
<link rel="icon" type="image/png" sizes="16x16" href="/assets/favicon-16x16.png">
<title>systeminformation</title>
</head>
<body>
<nav class="nav">
<div class="container">
<a href="/v4/index.html"><img class="logo float-left" src="assets/logo.png" alt="logo">
<div class="title float-left">systeminformation - Version 4</div>
</a>
<div class="text float-right github"><a href="https://github.com/sebhildebrandt/systeminformation">View on Github <i class="fab fa-github"></i></a></div>
<div class="text float-right todocs"><a href="./#docs">Docs Overview</a></div>
</div>
</nav>
<div class="container-fluid">
<section class="container">
<div class="row">
<div class="col-12 col-md-4 col-lg-3 col-xl-2 menu" id="menu">
</div>
<div class="col-12 col-md-8 col-lg-9 col-xl-10 content">
<div class="row">
<div class="col-12 sectionheader">
<div class="title">Security Advisories</div>
<div class="text">
<h2>Passing User Paramters to Systeminformation</h2>
<p>For most of the applications that are using <span class="code">systeminformation</span>, there is no reason to worry. <span class="bold">But be aware!</span> If you are using <span class="code">inetLatency()</span>, <span class="code">inetChecksite()</span>, <span class="code">services()</span>, <span class="code">processLoad()</span>, <span class="code">versions()</span> with arbitrary untrusted user input, you should pay extra attention! We are doing a lot of input sanitation for those functions inside this package but we cannot handle all cases!</p>
<p class="warning">This can lead to serious impact on your servers!</p>
<p>We highly recommend to always upgrade to the latest version of our package. We maintain security updates for version 5 AND also version 4. For version 4 you can install latest version by placing <span class="code">"systeminformation": "^4"</span> in your package.json (dependencies) and run <span class="code">npm install</span></p>
<h2>Command Injection Vulnerability</h2>
<p><span class="bold">Affected versions:</span>
&lt; 4.34.21<br>
<span class="bold">Date:</span> 2021-05-04<br>
<span class="bold">CVE indentifier</span> -
</p>
<h4>Impact</h4>
<p>We had an issue that there was a possibility to perform a potential command injection possibility by passing a non string values as a parameter to the <span class="code">dockerContainerInspect()</span>, <span class="code">dockerContainerProcesses()</span>.</p>
<h4>Patch</h4>
<p>Problem was fixed with parameter checking. Please upgrade to version >= 4.34.21 if you are using version 4.</p>
<h4>Workaround</h4>
<p>If you cannot upgrade, be sure to check or sanitize parameter strings that are passed to <span class="code">dockerContainerInspect()</span>, <span class="code">dockerContainerProcesses()</span> (string only)</p>
<hr>
<br>
<h2>Command Injection Vulnerability</h2>
<p><span class="bold">Affected versions:</span>
&lt; 4.34.20<br>
<span class="bold">Date:</span> 2021-04-08<br>
<span class="bold">CVE indentifier</span> -
</p>
<h4>Impact</h4>
<p>We had an issue that there was a possibility to perform a potential command injection possibility by passing a non string values as a parameter to the <span class="code">versions()</span>.</p>
<h4>Patch</h4>
<p>Problem was fixed with parameter checking. Please upgrade to version >= 4.34.20 if you are using version 4.</p>
<h4>Workaround</h4>
<p>If you cannot upgrade, be sure to check or sanitize parameter strings that are passed to <span class="code">versions()</span> (string only)</p>
<hr>
<br>
<h2>Command Injection Vulnerability</h2>
<p><span class="bold">Affected versions:</span>
&lt; 4.34.17<br>
<span class="bold">Date:</span> 2021-03-15<br>
<span class="bold">CVE indentifier</span> -
</p>
<h4>Impact</h4>
<p>We had an issue that there was a possibility to perform a potential command injection possibility by passing a manipulated string prototype as a parameter to the following functions. Affected commands: <span class="code">inetLatency()</span>, <span class="code">inetChecksite()</span>, <span class="code">services()</span>, <span class="code">processLoad()</span>.</p>
<h4>Patch</h4>
<p>Problem was fixed with additional parameter checking. Please upgrade to version >= 4.34.17 if you are using version 4.</p>
<h4>Workaround</h4>
<p>If you cannot upgrade, be sure to check or sanitize parameter strings that are passed to <span class="code">inetLatency()</span>, <span class="code">inetChecksite()</span>, <span class="code">services()</span>, <span class="code">processLoad()</span> (string only)</p>
<hr>
<br>
<h2>Insufficient File Scheme Validation</h2>
<p><span class="bold">Affected versions:</span>
4.34.12<br>
<span class="bold">Date:</span> 2021-02-15<br>
<span class="bold">CVE indentifier</span> -
</p>
<h4>Impact</h4>
<p>We had an issue that there was a possibility to run inetChecksite against local files due to improper file scheme validation. Affected commands: <span class="code">inetLatency()</span>, <span class="code">inetChecksite()</span>.</p>
<h4>Patch</h4>
<p>Problem was fixed with additional parameter checking. Please upgrade to version >= 4.34.12 if you are using version 4.</p>
<h4>Workaround</h4>
<p>If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to <span class="code">inetLatency()</span>, <span class="code">inetChecksite()</span> (sanitize `file://` parameter)</p>
<hr>
<br>
<h2>Command Injection Vulnerability</h2>
<p><span class="bold">Affected versions:</span>
&lt; 4.34.11<br>
<span class="bold">Date:</span> 2021-02-14<br>
<span class="bold">CVE indentifier</span> CVE-2021-21315
</p>
<h4>Impact</h4>
<p>We had an issue that there was a possibility to perform a potential command injection possibility by passing a manipulated array as a parameter to the following functions. Affected commands: <span class="code">inetLatency()</span>, <span class="code">inetChecksite()</span>, <span class="code">services()</span>, <span class="code">processLoad()</span>.</p>
<h4>Patch</h4>
<p>Problem was fixed with additional parameter checking. Please upgrade to version >= 4.34.11 if you are using version 4.</p>
<h4>Workaround</h4>
<p>If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to <span class="code">inetLatency()</span>, <span class="code">inetChecksite()</span>, <span class="code">services()</span>, <span class="code">processLoad()</span> (string only)</p>
<hr>
<br>
<h2>DOS Injection Vulnerability</h2>
<p><span class="bold">Affected versions:</span>
&lt; 4.34.10<br>
<span class="bold">Date:</span> 2021-02-12<br>
<span class="bold">CVE indentifier</span> -
</p>
<h4>Impact</h4>
<p>Here we had an issue that there was a possibility to perform a ping command execution for too long time. Affected commands: <span class="code">inetLatency()</span>.</p>
<h4>Patch</h4>
<p>Problem was fixed with a shell string sanitation fix. Please upgrade to version >= 4.34.10 if you are using version 4.</p>
<h4>Workaround</h4>
<p>If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to <span class="code">inetLatency()</span> (no spaces)</p>
<hr>
<br>
<h2>Command Injection Vulnerability</h2>
<p><span class="bold">Affected versions:</span>
&lt; 4.31.1<br>
<span class="bold">Date:</span> 2020-12-11<br>
<span class="bold">CVE indentifier</span> CVE-2020-26274, CVE-2020-28448
</p>
<h4>Impact</h4>
<p>Here we had an issue that there was a possibility to inject commands to the command line of your machine via systeminformation. Affected commands: <span class="code">inetLatency()</span>.</p>
<h4>Patch</h4>
<p>Problem was fixed with a shell string sanitation fix. Please upgrade to version >= 4.31.1</p>
<h4>Workaround</h4>
<p>If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to <span class="code">inetLatency()</span></p>
<hr>
<br>
<h2>Command Injection Vulnerability - prototype pollution</h2>
<p><span class="bold">Affected versions:</span>
&lt; 4.30.5<br>
<span class="bold">Date:</span> 2020-11-26<br>
<span class="bold">CVE indentifier</span> CVE-2020-26245
</p>
<h4>Impact</h4>
<p>Here we had an issue that there was a possibility to inject commands to the command line by property pollution on the string object. Affected commands: <span class="code">inetChecksite()</span>.</p>
<h4>Patch</h4>
<p>Problem was fixed with a shell string sanitation fix as well as handling prototype polution. Please upgrade to version >= 4.30.5</p>
<h4>Workaround</h4>
<p>If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to <span class="code">inetChecksite()</span></p>
<hr>
<br>
<h2>Command Injection Vulnerability</h2>
<p><span class="bold">Affected versions:</span>
&lt; 4.27.11<br>
<span class="bold">Date:</span> 2020-10-26<br>
<span class="bold">CVE indentifier</span> CVE-2020-7752
</p>
<h4>Impact</h4>
<p>Here we had an issue that there was a possibility to inject commands to the command line of your machine via systeminformation. Affected commands: <span class="code">inetChecksite()</span>.</p>
<h4>Patch</h4>
<p>Problem was fixed with a shell string sanitation fix. Please upgrade to version >= 4.27.11</p>
<h4>Workaround</h4>
<p>If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to <span class="code">inetChecksite()</span></p>
</div>
</div>
</div>
</div>
</div>
</section>
</div>
<footer class="container-fluid footer">
<div class="container">
<div class="row">
<div class="col-lg-4 col-12">
<ul class="list-unstyled">
<li><a href="/v4/index.html">Home</a></li>
<li><a href="https://github.com/sebhildebrandt/systeminformation">Github <i class="fab fa-github"></i></a></li>
<li><a href="contributors.html">Contributors</a></li>
<li>&nbsp;</li>
<li><a href="https://buymeacoff.ee/systeminfo" class="medium badge bg-primary"><i class="fas fa-coffee"></i>&nbsp;&nbsp;Buy me a coffee</a></li>
</ul>
</div>
<div class="col-lg-4 col-12">
<ul class="list-unstyled">
<li><a href="gettingstarted.html">Quick Start</a></li>
<li><a href="issues.html">Known Issues</a></li>
<li><a href="statsfunctions.html">Stats Functions</a></li>
<li><a href="history.html">Version History</a></li>
<li><a href="../index.html" class="bold v5">Version 5 Docs</a></li>
</ul>
</div>
<div class="col-lg-4 col-12">
<ul class="list-unstyled">
<li><a href="https://www.plus-innovations.com">&copy; 2026 Sebastian Hildebrandt, +innovations</a></li>
<li><a href="copyright.html">Copyright &amp; License</a></li>
<li><a href="trademarks.html">Trademarks</a></li>
<li>&nbsp;</li>
<li><a href="https://github.com/sebhildebrandt/systeminformation/blob/master/LICENSE"><img src="https://img.shields.io/badge/license-MIT-blue.svg?style=flat-square" alt="MIT license" /></a></li>
</ul>
</div>
</div>
</div>
</footer>
<script>
window.onload = function (e) {
createMenu();
}
</script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink