Vulnerability CVE-2021-23386
Published: 2021-05-20

Description:
This affects the package dns-packet before 5.2.2. It creates buffers with allocUnsafe and does not always fill them before forming network packets. This can expose internal application memory over unencrypted network when querying crafted invalid domain names.

Type:

CWE-200

 (Information Exposure)

CVSS2 => (AV:N/AC:L/Au:S/C:P/I:N/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4/10
2.9/10
8/10
Exploit range
Attack complexity
Authentication
Remote
Low
Single time
Confidentiality impact
Integrity impact
Availability impact
Partial
None
None
Affected software
Dns-packet project -> Dns-packet 

 References:
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1295719
https://snyk.io/vuln/SNYK-JS-DNSPACKET-1293563
https://hackerone.com/bugs?subject=user&amp%3Breport_id=968858
https://github.com/mafintosh/dns-packet/commit/25f15dd0fedc53688b25fd053ebbdffe3d5c1c56
Copyright 2024, cxsecurity.com

 

Back to Top