{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-56334", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-12-19T18:39:53.612Z", "datePublished": "2024-12-20T20:10:12.578Z", "dateUpdated": "2024-12-24T16:32:35.731Z"}, "containers": {"cna": {"title": "Command injection vulnerability in getWindowsIEEE8021x (SSID) function in systeminformation", "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-cvv5-9h9w-qp2m", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-cvv5-9h9w-qp2m"}, {"name": "https://github.com/sebhildebrandt/systeminformation/commit/f7af0a67b78e7894335a6cad510566a25e06ae41", "tags": ["x_refsource_MISC"], "url": "https://github.com/sebhildebrandt/systeminformation/commit/f7af0a67b78e7894335a6cad510566a25e06ae41"}], "affected": [{"vendor": "sebhildebrandt", "product": "systeminformation", "versions": [{"version": "< 5.23.7", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-12-20T20:10:12.578Z"}, "descriptions": [{"lang": "en", "value": "systeminformation is a System and OS information library for node.js. In affected versions SSIDs are not sanitized when before they are passed as a parameter to cmd.exe in the `getWindowsIEEE8021x` function. This means that malicious content in the SSID can be executed as OS commands. This vulnerability may enable an attacker, depending on how the package is used, to perform remote code execution or local privilege escalation. This issue has been addressed in version 5.23.7 and all users are advised to upgrade. There are no known workarounds for this vulnerability."}], "source": {"advisory": "GHSA-cvv5-9h9w-qp2m", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-cvv5-9h9w-qp2m", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-12-24T16:32:16.418664Z", "id": "CVE-2024-56334", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-24T16:32:35.731Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-56334", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-12-24T16:32:16.418664Z"}}}], "references": [{"url": "https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-cvv5-9h9w-qp2m", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-24T16:32:30.447Z"}}], "cna": {"title": "Command injection vulnerability in getWindowsIEEE8021x (SSID) function in systeminformation", "source": {"advisory": "GHSA-cvv5-9h9w-qp2m", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "sebhildebrandt", "product": "systeminformation", "versions": [{"status": "affected", "version": "< 5.23.7"}]}], "references": [{"url": "https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-cvv5-9h9w-qp2m", "name": "https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-cvv5-9h9w-qp2m", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/sebhildebrandt/systeminformation/commit/f7af0a67b78e7894335a6cad510566a25e06ae41", "name": "https://github.com/sebhildebrandt/systeminformation/commit/f7af0a67b78e7894335a6cad510566a25e06ae41", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "systeminformation is a System and OS information library for node.js. In affected versions SSIDs are not sanitized when before they are passed as a parameter to cmd.exe in the `getWindowsIEEE8021x` function. This means that malicious content in the SSID can be executed as OS commands. This vulnerability may enable an attacker, depending on how the package is used, to perform remote code execution or local privilege escalation. This issue has been addressed in version 5.23.7 and all users are advised to upgrade. There are no known workarounds for this vulnerability."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-12-20T20:10:12.578Z"}}}, "cveMetadata": {"cveId": "CVE-2024-56334", "state": "PUBLISHED", "dateUpdated": "2024-12-24T16:32:35.731Z", "dateReserved": "2024-12-19T18:39:53.612Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-12-20T20:10:12.578Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "systeminformation is a System and OS information library for node.js. In affected versions SSIDs are not sanitized when before they are passed as a parameter to cmd.exe in the `getWindowsIEEE8021x` function. This means that malicious content in the SSID can be executed as OS commands. This vulnerability may enable an attacker, depending on how the package is used, to perform remote code execution or local privilege escalation. This issue has been addressed in version 5.23.7 and all users are advised to upgrade. There are no known workarounds for this vulnerability."}, {"lang": "es", "value": "systeminformation es una librer\u00eda de informaci\u00f3n del sistema y del SO para node.js. En las versiones afectadas, los SSID no se desinfectan antes de que se pasen como par\u00e1metro a cmd.exe en la funci\u00f3n `getWindowsIEEE8021x`. Esto significa que el contenido malicioso en el SSID se puede ejecutar como comandos del SO. Esta vulnerabilidad puede permitir a un atacante, seg\u00fan c\u00f3mo se use el paquete, realizar una ejecuci\u00f3n de c\u00f3digo remoto o una escalada de privilegios locales. Este problema se ha solucionado en la versi\u00f3n 5.23.7 y se recomienda a todos los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad."}], "id": "CVE-2024-56334", "lastModified": "2024-12-24T17:15:09.760", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-12-20T21:15:10.080", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/sebhildebrandt/systeminformation/commit/f7af0a67b78e7894335a6cad510566a25e06ae41"}, {"source": "security-advisories@github.com", "url": "https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-cvv5-9h9w-qp2m"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-cvv5-9h9w-qp2m"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHBA-2025:0409", "cpe": "cpe:/a:redhat:rhdh:1.4::el9", "package": "registry.redhat.io/rhdh/rhdh-hub-rhel9:sha256:d8268197ba0466643efb818fcad8f0fc29e32463f75b0f7f51d9ce75ec717572", "product_name": "Red Hat Developer Hub (RHDH) 1.4", "release_date": "2025-01-20T00:00:00Z"}], "bugzilla": {"description": "systeminformation: Command injection vulnerability in getWindowsIEEE8021x (SSID) function in systeminformation", "id": "2333587", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2333587"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.0", "cvss3_scoring_vector": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-94", "details": ["systeminformation is a System and OS information library for node.js. In affected versions SSIDs are not sanitized when before they are passed as a parameter to cmd.exe in the `getWindowsIEEE8021x` function. This means that malicious content in the SSID can be executed as OS commands. This vulnerability may enable an attacker, depending on how the package is used, to perform remote code execution or local privilege escalation. This issue has been addressed in version 5.23.7 and all users are advised to upgrade. There are no known workarounds for this vulnerability.", "A flaw was found in the systeminformation library for Node.js. In Windows systems, the SSID parameter of the `getWindowsIEEE8021x` function is not sanitized before it is passed to cmd.exe. This may allow a remote attacker to execute arbitrary commands on the target system."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-56334", "package_state": [{"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Not affected", "package_name": "rhdh/rhdh-rhel9-operator", "product_name": "Red Hat Developer Hub"}], "public_date": "2024-12-20T20:10:12Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-56334\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-56334\nhttps://github.com/sebhildebrandt/systeminformation/commit/f7af0a67b78e7894335a6cad510566a25e06ae41\nhttps://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-cvv5-9h9w-qp2m"], "statement": "This vulnerability in the systeminformation library is marked as a high-severity issue because it allows for the execution of arbitrary commands via an unsanitized SSID input passed to `cmd.exe`. Since this flaw can lead to remote code execution (RCE) or local privilege escalation, it provides an attacker with the potential to execute malicious scripts on the affected system.", "threat_severity": "Important"}