NodeJS System Information Library Command Injection (CVE-2021-21315)
search cancel

NodeJS System Information Library Command Injection (CVE-2021-21315)

book

Article ID: 263453

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

Our Security team has found a vulnerability when scanning one of our XML Gateways.

The remote host contains a systeminformation npm module that is prior to  5.3.1. It is, therefore, affected by a command injection vulnerability.  

The System Information Library for Node.JS (npm package 'systeminformation') is an open source collection of functions to retrieve detailed hardware, system and OS information. In systeminformation before version 5.3.1 there is a command injection vulnerability. The vulnerability was fixed in version 5.3.1.

As a workaround instead of upgrading, be sure to check or sanitize service parameters that are passed to si.inetLatency(), si.inetChecksite(), si.services(), or si.processLoad()... to only allow strings and reject any arrays. String sanitization works as expected.

Are you aware of this vulnerability and has this been addressed with any of the patches? 

 

 

Environment

Release : 10.1

Resolution

There should not be any Node.JS packages on the Gateway images we ship.

 Security Team has re-scanned the cited Gateway and the vulnerability did not show up.  Maybe a false alarm.