GHSA-4v2w-h9jm-mqjg

Source

https://github.com/advisories/GHSA-4v2w-h9jm-mqjg

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/11/GHSA-4v2w-h9jm-mqjg/GHSA-4v2w-h9jm-mqjg.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-4v2w-h9jm-mqjg

Aliases

CVE-2020-26245

Related

CVE-2020-26245

Published

2020-11-27T16:07:15Z

Modified

2023-11-08T04:03:16.008590Z

Severity

8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L CVSS Calculator

Summary

Prototype Pollution in systeminformation

Details

Impact

command injection vulnerability by prototype pollution

Patches

Problem was fixed with a rewrite of shell sanitations to avoid prototyper pollution problems. Please upgrade to version >= 4.30.2

Workarounds

If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to si.inetChecksite()

For more information

If you have any questions or comments about this advisory:

Open an issue in systeminformation

Database specific

{
    "severity": "MODERATE",
    "github_reviewed_at": "2020-11-27T15:56:36Z",
    "cwe_ids": [
        "CWE-471",
        "CWE-78"
    ],
    "nvd_published_at": null,
    "github_reviewed": true
}

References

Affected packages

npm / systeminformation

Package

Name: systeminformation; View open source insights on deps.dev
Purl: pkg:npm/systeminformation

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.30.5

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/11/GHSA-4v2w-h9jm-mqjg/GHSA-4v2w-h9jm-mqjg.json"