CVE-2020-7778 Systeminformation NPM package (Command Injection)
Virsec Security Research Lab Vulnerability Analysis
The Virsec Security Research Lab provides timely, relevant analysis about recent and notable security vulnerabilities.
1.1 Vulnerability Summary
This affects the package systeminformation before 4.30.2. The attacker can overwrite the properties and functions of an object, which can lead to executing OS commands.
Watch the video to learn more about this and other important vulnerabilities.
1.2 CVSS Score
The CVSS Base score of this vulnerability is 7.3 High. CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1.3 Affected Version
SystemInformation NPM (System and OS information library for node.js) before 4.30.2
1.4 Vulnerability Attribution
This vulnerability is reported by Snyk.
1.5 Risk Impact
SystemInformation is node.js library (System and OS information library for node.js) which has overall download of 20 million. This vulnerability can be used to plan remote backdoor in the system, which can be used for lateral movement or exfiltration of sensitive server information. Exploit is publicly available here.
1.6 Virsec Security Platform (VSP) Support:
The Virsec Security Platform (VSP)- Web has capability that can detect all types of Command injection attack and prevent this attack from being exploited.
VSP-Host monitors processes that are spawned which are not part of a set of whitelisted process. Any attempt to execute new command or unknown binary would be denied by VSP-Host’s Process Monitoring capability.
1.7 Reference Links:
Download the full vulnerability report to learn more about this and other important vulnerabilities.