CVE-2021-21315 — AI Deep Analysis Summary

🚨 **Essence**: OS Command Injection in `systeminformation` library. 💥 **Consequences**: Attackers execute arbitrary OS commands via unsanitized input. Critical integrity loss (I:H) and system compromise.

🛡️ **CWE-78**: OS Command Injection. 🐛 **Flaw**: External input (service parameters) passed to functions like `si.inetLatency()` or `si.services()` is not properly filtered for special characters or commands.

📦 **Vendor**: sebhildebrandt. 📦 **Product**: `systeminformation` (Node.js npm package). ⚠️ **Affected**: Versions prior to fix (likely <5.3.1 based on Cordova advisory).

👑 **Privileges**: Local attacker (AV:L) with no privileges (PR:N) can achieve High Integrity impact. 📂 **Data**: Can execute illegal OS commands, potentially gaining reverse shells or full system control.

🔓 **Threshold**: Low for local access. Requires Local Access (AV:L) but No Privileges (PR:N) and No User Interaction (UI:N). Easy to exploit if local access is gained.

🔥 **Public Exp**: YES. Multiple PoCs available on GitHub (Python, Rust, Node). 🌐 **Wild Exp**: Active in CTFs; potential for real-world reverse shell attacks.

🔍 **Self-Check**: Scan for `systeminformation` npm package usage. 🧪 **Test**: Check if `si.inetLatency()`, `si.inetChecksite()`, `si.services()`, or `si.processLoad()` accept array inputs instead of sanitized strings.

✅ **Fixed**: YES. Vendor released patch (Commit 07daa05). 📌 **Fix**: Update `systeminformation` to version >=5.3.1. Sanitize service parameters to reject arrays.

🛡️ **Workaround**: If patching impossible, strictly sanitize inputs. ✅ **Rule**: Only allow strings. ❌ **Reject**: Any array inputs passed to vulnerable functions.

🔴 **Urgency**: HIGH. CVSS Score indicates High Integrity impact. Local exploitability is low effort. Immediate patching to v5.3.1+ is critical for security.