Описание
The Node.js inspector, in 6.x and later is vulnerable to a DNS rebinding attack which could be exploited to perform remote code execution. An attack is possible from malicious websites open in a web browser on the same computer, or another computer with network access to the computer running the Node.js process. A malicious website could use a DNS rebinding attack to trick the web browser to bypass same-origin-policy checks and to allow HTTP connections to localhost or to hosts on the local network. If a Node.js process with the debug port active is running on localhost or on a host on the local network, the malicious website could connect to it as a debugger, and get full code execution access.
| Релиз | Статус | Примечание |
|---|---|---|
| artful | ignored | end of life |
| bionic | ignored | end of standard support, was needed |
| cosmic | not-affected | 8.11.2~dfsg-1 |
| devel | not-affected | 8.11.2~dfsg-1 |
| disco | not-affected | 8.11.2~dfsg-1 |
| eoan | not-affected | 8.11.2~dfsg-1 |
| esm-apps/bionic | released | 8.10.0~dfsg-2ubuntu0.4+esm1 |
| esm-apps/focal | not-affected | 8.11.2~dfsg-1 |
| esm-apps/jammy | not-affected | 8.11.2~dfsg-1 |
| esm-apps/xenial | not-affected | code not present |
Показывать по
6.8 Medium
CVSS2
8.8 High
CVSS3
Связанные уязвимости
The Node.js inspector, in 6.x and later is vulnerable to a DNS rebinding attack which could be exploited to perform remote code execution. An attack is possible from malicious websites open in a web browser on the same computer, or another computer with network access to the computer running the Node.js process. A malicious website could use a DNS rebinding attack to trick the web browser to bypass same-origin-policy checks and to allow HTTP connections to localhost or to hosts on the local network. If a Node.js process with the debug port active is running on localhost or on a host on the local network, the malicious website could connect to it as a debugger, and get full code execution access.
The Node.js inspector, in 6.x and later is vulnerable to a DNS rebinding attack which could be exploited to perform remote code execution. An attack is possible from malicious websites open in a web browser on the same computer, or another computer with network access to the computer running the Node.js process. A malicious website could use a DNS rebinding attack to trick the web browser to bypass same-origin-policy checks and to allow HTTP connections to localhost or to hosts on the local network. If a Node.js process with the debug port active is running on localhost or on a host on the local network, the malicious website could connect to it as a debugger, and get full code execution access.
The Node.js inspector, in 6.x and later is vulnerable to a DNS rebindi ...
Withdrawn Advisory: Node.js Inspector RCE via DNS Rebinding
6.8 Medium
CVSS2
8.8 High
CVSS3