CVE-2020-26274 - OpenCVE

In systeminformation (npm package) before version 4.31.1 there is a command injection vulnerability. The problem was fixed in version 4.31.1 with a shell string sanitation fix.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Systeminformation	Systeminformation

Configuration 1 [-]

cpe:2.3:a:systeminformation:systeminformation:*:*:*:*:*:node.js:*:*

References

Link	Resource
https://github.com/sebhildebrandt/systeminformation/commit/1faadcbf68f1b1fdd5eb2054f68fc932be32ac99	Patch Third Party Advisory
https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-m57p-p67h-mq74	Third Party Advisory
https://www.npmjs.com/package/systeminformation	Product Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2020-12-16T19:30:18

Updated: 2020-12-16T19:30:18

Reserved: 2020-10-01T00:00:00

Link: CVE-2020-26274

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-12-16T20:15:14.093

Modified: 2020-12-18T14:04:33.960

Link: CVE-2020-26274

JSON object: View

Redhat Information

No data.

CWE

CWE-78

{"containers": {"cna": {"affected": [{"product": "systeminformation", "vendor": "sebhildebrandt", "versions": [{"status": "affected", "version": "< 4.31.1"}]}], "descriptions": [{"lang": "en", "value": "In systeminformation (npm package) before version 4.31.1 there is a command injection vulnerability. The problem was fixed in version 4.31.1 with a shell string sanitation fix."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-12-16T19:30:18", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-m57p-p67h-mq74"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/sebhildebrandt/systeminformation/commit/1faadcbf68f1b1fdd5eb2054f68fc932be32ac99"}, {"tags": ["x_refsource_MISC"], "url": "https://www.npmjs.com/package/systeminformation"}], "source": {"advisory": "GHSA-m57p-p67h-mq74", "discovery": "UNKNOWN"}, "title": "Command Injection Vulnerability in systeminformation", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-26274", "STATE": "PUBLIC", "TITLE": "Command Injection Vulnerability in systeminformation"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "systeminformation", "version": {"version_data": [{"version_value": "< 4.31.1"}]}}]}, "vendor_name": "sebhildebrandt"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In systeminformation (npm package) before version 4.31.1 there is a command injection vulnerability. The problem was fixed in version 4.31.1 with a shell string sanitation fix."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}]}, "references": {"reference_data": [{"name": "https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-m57p-p67h-mq74", "refsource": "CONFIRM", "url": "https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-m57p-p67h-mq74"}, {"name": "https://github.com/sebhildebrandt/systeminformation/commit/1faadcbf68f1b1fdd5eb2054f68fc932be32ac99", "refsource": "MISC", "url": "https://github.com/sebhildebrandt/systeminformation/commit/1faadcbf68f1b1fdd5eb2054f68fc932be32ac99"}, {"name": "https://www.npmjs.com/package/systeminformation", "refsource": "MISC", "url": "https://www.npmjs.com/package/systeminformation"}]}, "source": {"advisory": "GHSA-m57p-p67h-mq74", "discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2020-26274", "datePublished": "2020-12-16T19:30:18", "dateReserved": "2020-10-01T00:00:00", "dateUpdated": "2020-12-16T19:30:18", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:systeminformation:systeminformation:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "2F3747DA-FD6E-4FA9-9354-2AFE6AA75517", "versionEndExcluding": "4.31.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In systeminformation (npm package) before version 4.31.1 there is a command injection vulnerability. The problem was fixed in version 4.31.1 with a shell string sanitation fix."}, {"lang": "es", "value": "En systeminformation (paquete npm) versiones anteriores a 4.31.1, se presenta una vulnerabilidad de inyecci\u00f3n de comandos. El problema se corrigi\u00f3 en la versi\u00f3n 4.31.1, con una correcci\u00f3n del saneamiento de la cadena de shell"}], "id": "CVE-2020-26274", "lastModified": "2020-12-18T14:04:33.960", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2020-12-16T20:15:14.093", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/sebhildebrandt/systeminformation/commit/1faadcbf68f1b1fdd5eb2054f68fc932be32ac99"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-m57p-p67h-mq74"}, {"source": "security-advisories@github.com", "tags": ["Product", "Third Party Advisory"], "url": "https://www.npmjs.com/package/systeminformation"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-78"}], "source": "security-advisories@github.com", "type": "Secondary"}]}