systeminformation is a System and OS information library for node.js. In affected versions SSIDs are not sanitized when before they are passed as a parameter to cmd.exe in the `getWindowsIEEE8021x` function. This means that malicious content in the SSID can be executed as OS commands. This vulnerability may enable an attacker, depending on how the package is used, to perform remote code execution or local privilege escalation. This issue has been addressed in version 5.23.7 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
History

Fri, 20 Dec 2024 20:30:00 +0000

Type Values Removed Values Added
Description systeminformation is a System and OS information library for node.js. In affected versions SSIDs are not sanitized when before they are passed as a parameter to cmd.exe in the `getWindowsIEEE8021x` function. This means that malicious content in the SSID can be executed as OS commands. This vulnerability may enable an attacker, depending on how the package is used, to perform remote code execution or local privilege escalation. This issue has been addressed in version 5.23.7 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Title Command injection vulnerability in getWindowsIEEE8021x (SSID) function in systeminformation
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-12-20T20:10:12.578Z

Updated: 2024-12-20T20:10:12.578Z

Reserved: 2024-12-19T18:39:53.612Z

Link: CVE-2024-56334

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2024-12-20T21:15:10.080

Modified: 2024-12-20T21:15:10.080

Link: CVE-2024-56334

cve-icon Redhat

No data.