CVE-2024-56334
Description
systeminformation is a System and OS information library for node.js. In affected versions SSIDs are not sanitized when before they are passed as a parameter to cmd.exe in the `getWindowsIEEE8021x` function. This means that malicious content in the SSID can be executed as OS commands. This vulnerability may enable an attacker, depending on how the package is used, to perform remote code execution or local privilege escalation. This issue has been addressed in version 5.23.7 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Mitigation details
CVE-2024-56334 NameCVE-2024-56334 Descriptionsysteminformation is a System and OS information library for node.js. In affected versions SSIDs are not sanitized when before they are passed as a parameter to cmd.exe in the `getWindowsIEEE8021x` function. This means that malicious content in the SSID can be executed as OS commands. This vulnerability may enable an attacker, depending on how theβ¦
Workaround
s for this vulnerability. SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) Vulnerable and fixed packages The table below lists information on source packages. Source PackageReleaseVersionStatus jupyterlab (PTS)trixie4.0.11+ds1+~cs11.25.27-7vulnerable forky4.0.11+ds5+~cs11.25.27-1fixed sid4.0.13+ds1+~2.0.1+~cs1.4.4-1fixed node-systeminformation (PTS)forky5.31.6-4fixed sid5.31.7-1fixed The information below is based on the following data on fixed versions. PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs jupyterlabsource(unstable)4.0.11+ds5+~cs11.25.27-1 node-systeminformationsource(unstable)(not affected) Notes - node-systeminformation <not-affected> (Fixed before initial upload to Debian) node-systeminformation splited from jupyterlab
CVE-2024-56334
| Name | CVE-2024-56334 |
| Description | systeminformation is a System and OS information library for node.js. In affected versions SSIDs are not sanitized when before they are passed as a parameter to cmd.exe in the `getWindowsIEEE8021x` function. This means that malicious content in the SSID can be executed as OS commands. This vulnerability may enable an attacker, depending on how the package is used, to perform remote code execution or local privilege escalation. This issue has been addressed in version 5.23.7 and all users are advised to upgrade. There are no known workarounds for this vulnerability. |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| jupyterlab (PTS) | trixie | 4.0.11+ds1+~cs11.25.27-7 | vulnerable |
| forky | 4.0.11+ds5+~cs11.25.27-1 | fixed | |
| sid | 4.0.13+ds1+~2.0.1+~cs1.4.4-1 | fixed | |
| node-systeminformation (PTS) | forky | 5.31.6-4 | fixed |
| sid | 5.31.7-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| jupyterlab | source | (unstable) | 4.0.11+ds5+~cs11.25.27-1 | |||
| node-systeminformation | source | (unstable) | (not affected) |
Notes
- node-systeminformation <not-affected> (Fixed before initial upload to Debian)
node-systeminformation splited from jupyterlab
Apply commands
- node-systeminformation <not-affected> (Fixed before initial upload to Debian)node-systeminformation splited from jupyterlabOS impact
Debian Mixed 3 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Affected | β |
| sid | Fixed | 0 |
| forky | Fixed | 0 |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| npm | systeminformation | <5.23.7 | 5.23.7 |
References
- https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-cvv5-9h9w-qp2m
- https://nvd.nist.gov/vuln/detail/CVE-2024-56334
- https://github.com/sebhildebrandt/systeminformation/commit/f7af0a67b78e7894335a6cad510566a25e06ae41
- https://github.com/sebhildebrandt/systeminformation
- https://security-tracker.debian.org/tracker/CVE-2024-56334
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.