CVE-2018-7160

CWE-350 CWE-290 CWE-20 — Improper Input Validation16 documents10 sources

Severity

8.8HIGH

EPSS

1.5%

top 18.86%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nodejs Node Nodejs Node.js THE Node.js Project Node.js

Timeline

PublishedMay 17

Latest updateJan 12

Description

The Node.js inspector, in 6.x and later is vulnerable to a DNS rebinding attack which could be exploited to perform remote code execution. An attack is possible from malicious websites open in a web browser on the same computer, or another computer with network access to the computer running the Node.js process. A malicious website could use a DNS rebinding attack to trick the web browser to bypass same-origin-policy checks and to allow HTTP connections to localhost or to hosts on the local netw…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages5 packages

▶npmnode-inspector

▶CVEListV5nodejs/node4.0 — 4.*+11

▶NVDnodejs/node.js6.9.0 — 6.14.0+4

▶Debiannodejs< 8.11.1~dfsg-2+3

▶CVEListV5the_node.js_project/node.js^6.0.0 || ^8.0.0 || ^9.0.0

🔴Vulnerability Details

GHSA

Withdrawn Advisory: Node.js Inspector RCE via DNS Rebinding↗2022-05-13

▶

OSV

CVE-2018-7160: The Node↗2018-05-17

▶

CVEList

CVE-2018-7160: The Node↗2018-05-17

▶

OSV

webkit2gtk vulnerabilities↗2018-01-30

▶

📋Vendor Advisories

Ubuntu

Node.js vulnerabilities↗2021-03-15

▶

Red Hat

nodejs: DNS rebinding in --inspect↗2021-02-18

▶

CVE-2018-15316: In F5 BIG-IP APM 13↗2018-10-19

▶

Red Hat

nodejs: Inspector DNS rebinding vulnerability↗2018-03-08

▶

Debian

CVE-2018-7160: nodejs - The Node.js inspector, in 6.x and later is vulnerable to a DNS rebinding attack ...↗2018

▶

💬Community

HackerOne

DNS rebinding in --inspect (insufficient fix of CVE-2022-32212 affecting macOS devices)↗2023-01-12

▶

HackerOne

DNS rebinding in --inspect (insufficient fix of CVE-2022-32212 affecting macOS devices)↗2022-09-28

▶

HackerOne

DNS rebinding in --inspect (insufficient fix of CVE-2018-7160)↗2021-02-23

▶

Bugzilla

CVE-2018-7160 nodejs: Inspector DNS rebinding vulnerability↗2018-03-29

▶

Bugzilla

CVE-2018-7158 CVE-2018-7159 CVE-2018-7160 nodejs: various flaws [fedora-all]↗2018-03-29

▶