CVE-2021-22884

Опубликовано: 03 мар. 2021

Источник: ubuntu

Приоритет: medium

EPSS Низкий

CVSS2: 5.1

CVSS3: 7.5

Описание

Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to DNS rebinding attacks as the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the “localhost6” domain. As long as the attacker uses the “localhost6” domain, they can still apply the attack described in CVE-2018-7160.

Релиз	Статус	Примечание
bionic	ignored	end of standard support, was needs-triage
devel	not-affected	18.7.0+dfsg-5ubuntu1
esm-apps/bionic	released	8.10.0~dfsg-2ubuntu0.4+esm3
esm-apps/focal	released	10.19.0~dfsg-3ubuntu1.2
esm-apps/jammy	not-affected	12.22.9~dfsg-1ubuntu3
esm-apps/xenial	not-affected	code not present
esm-infra-legacy/trusty	not-affected	code not present
focal	released	10.19.0~dfsg-3ubuntu1.2
groovy	ignored	end of life
hirsute	ignored	end of life

Показывать по

Ссылки на источники

EPSS

Процентиль: 72%

0.00741

Низкий

5.1 Medium

CVSS2

7.5 High

CVSS3

Связанные уязвимости

CVE-2021-22884

CVSS3: 7.5

redhat

больше 4 лет назад

CVE-2021-22884

CVSS3: 7.5

nvd

больше 4 лет назад

CVE-2021-22884

CVSS3: 7.5

debian

больше 4 лет назад

Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to ...

openSUSE-SU-2021:0389-1

suse-cvrf

больше 4 лет назад

Security update for nodejs8

SUSE-SU-2021:0686-1

suse-cvrf

больше 4 лет назад

Security update for nodejs8

EPSS

Процентиль: 72%

0.00741

Низкий

5.1 Medium

CVSS2

7.5 High

CVSS3

CVE-2021-22884

Описание

Пакет nodejs

Ссылки на источники

Связанные уязвимости