cbcvebase.
CVE-2018-7160
published 2018-05-17

CVE-2018-7160: The Node.js inspector, in 6.x and later is vulnerable to a DNS rebinding attack which could be exploited to perform remote code execution. An attack is…

high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
The Node.js inspector, in 6.x and later is vulnerable to a DNS rebinding attack which could be exploited to perform remote code execution. An attack is possible from malicious websites open in a web browser on the same computer, or another computer with network access to the computer running the Node.js process. A malicious website could use a DNS rebinding attack to trick the web browser to bypass same-origin-policy checks and to allow HTTP connections to localhost or to hosts on the local network. If a Node.js process with the debug port active is running on localhost or on a host on the local network, the malicious website could connect to it as a debugger, and get full code execution access.

Affected

49 ranges· showing 25
VendorProductVersion rangeFixed in
debiannodejs< nodejs 8.11.1~dfsg-2 (bookworm)nodejs 8.11.1~dfsg-2 (bookworm)
debiannodejs< nodejs 12.21.0~dfsg-1 (bookworm)nodejs 12.21.0~dfsg-1 (bookworm)
f5big-ip_access_policy_manager_client
f5big-ip_apm
f5big-ip_edge_client
fedoraprojectfedora
fedoraprojectfedora
fedoraprojectfedora
nodejsnode>= 10.0 < 10.24.010.24.0
nodejsnode>= 11.0 < 11.*11.*
nodejsnode>= 12.0 < 12.21.012.21.0
nodejsnode>= 13.0 < 13.*13.*
nodejsnode>= 14.0 < 14.16.014.16.0
nodejsnode>= 15.0 < 15.10.015.10.0
nodejsnode>= 4.0 < 4.*4.*
nodejsnode>= 5.0 < 5.*5.*
nodejsnode>= 6.0 < 6.*6.*
nodejsnode>= 7.0 < 7.*7.*
nodejsnode>= 8.0 < 8.*8.*
nodejsnode>= 9.0 < 9.*9.*
nodejsnode.js>= 10.0.0 < 10.24.010.24.0
nodejsnode.js>= 12.0.0 < 12.21.012.21.0
nodejsnode.js>= 14.0.0 < 14.16.014.16.0
nodejsnode.js>= 15.0.0 < 15.10.015.10.0
nodejsnode.js6.0.0 – 6.8.1

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
osv8.8HIGH