Plattform
nodejs
Komponente
systeminformation
Behoben in
5.23.8
CVE-2024-56334 describes a Command Injection vulnerability discovered in the systeminformation Node.js library. This flaw allows attackers to execute arbitrary operating system commands by injecting malicious content into SSIDs. The vulnerability impacts versions of systeminformation up to 5.23.7, and a fix is available in version 5.23.7. Users are strongly advised to upgrade immediately.
The vulnerability arises from insufficient sanitization of SSIDs before they are passed as parameters to cmd.exe within the getWindowsIEEE8021x function. An attacker who can control the SSID value, either directly or indirectly through a compromised system, can inject malicious commands. Successful exploitation could lead to remote code execution (RCE) or local privilege escalation, depending on the context in which the systeminformation package is used. This could allow an attacker to gain control of the affected system, steal sensitive data, or install malware.
This vulnerability was publicly disclosed on December 20, 2024. There are currently no known active campaigns exploiting this specific vulnerability, but the ease of exploitation and potential for RCE suggest it could become a target. No public proof-of-concept (PoC) code has been released as of this writing, but the vulnerability's nature makes it likely that PoCs will emerge. It is not currently listed on the CISA KEV catalog.
Applications and systems that utilize the systeminformation Node.js library, particularly those that dynamically retrieve or process SSIDs from network interfaces, are at risk. This includes applications performing network diagnostics, system monitoring, or wireless configuration management. Shared hosting environments where multiple applications share the same Node.js runtime are also at increased risk.
• nodejs: Use npm audit to identify vulnerable dependencies.
npm audit systeminformation• nodejs: Check for the presence of systeminformation in package.json and verify the version is less than 5.23.7.
grep "systeminformation" package.json• generic web: Monitor Node.js application logs for unusual command execution attempts related to network interfaces or wireless configurations. Look for patterns resembling shell commands within SSID strings.
disclosure
Exploit-Status
EPSS
2.10% (84% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-56334 is to upgrade to version 5.23.7 or later of the systeminformation package. There are no known workarounds for this vulnerability beyond upgrading. If upgrading is not immediately feasible due to compatibility issues or breaking changes, carefully review all code that utilizes the getWindowsIEEE8021x function and implement strict input validation to sanitize SSIDs before they are passed to cmd.exe. After upgrading, confirm the fix by attempting to trigger the vulnerable function with a crafted SSID containing malicious commands; the command should not be executed.
Actualice la biblioteca systeminformation a la versión 5.23.7 o superior. Esto corrige la vulnerabilidad de inyección de comandos en la función getWindowsIEEE8021x (SSID). Ejecute `npm install systeminformation@latest` para actualizar.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-56334 is a Command Injection vulnerability in the systeminformation Node.js library, allowing attackers to execute OS commands through unsanitized SSIDs. It affects versions up to 5.23.7.
You are affected if you are using systeminformation version 5.23.7 or earlier. Check your package.json file to determine your version.
Upgrade to version 5.23.7 or later of the systeminformation package using npm install systeminformation@latest. There are no known workarounds.
As of December 2024, there are no confirmed reports of active exploitation, but the vulnerability's nature makes it a potential target.
Refer to the systeminformation GitHub repository for updates and advisories: https://github.com/systeminformation/systeminformation
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.