CVE-2021-22884

CWE-350 CWE-20 — Improper Input Validation CWE-50610 documents8 sources

Severity

7.5HIGH

EPSS

0.3%

top 49.53%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nodejs Node Nodejs Node.js Oracle JD Edwards Enterpriseone Tools +6 more

Timeline

PublishedMar 3

Latest updateOct 5

Description

Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to DNS rebinding attacks as the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the “localhost6” domain. As long as the attacker uses the “localhost6” domain, they can still apply the attack d…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.6 | Impact: 5.9

Affected Packages9 packages

▶CVEListV5nodejs/node4.0 — 4.*+11

▶NVDnodejs/node.js10.0.0 — 10.24.0+3

▶NVDsiemens/sinec_infrastructure_network_services< 1.0.1.1

▶Debiannodejs< 12.21.0~dfsg-1+3

▶NVDoracle/nosql_database< 20.3

Also affects: Fedora 32, 33, 34

Patches

Patch: cert-portal.siemens.com ↗Patch: nodejs.org ↗Patch: nodejs.org ↗

🔴Vulnerability Details

OSV

nodejs vulnerabilities↗2023-10-05

▶

GHSA

Node.js bad↗2022-05-24

▶

CVEList

CVE-2021-22884: Node↗2021-03-03

▶

OSV

CVE-2021-22884: Node↗2021-03-03

▶

📋Vendor Advisories

Ubuntu

Node.js vulnerabilities↗2023-10-05

▶

Oracle

Oracle Oracle JD Edwards Risk Matrix: E1 Dev Platform Tech (Node.js) — CVE-2021-22884↗2021-10-15

▶

Oracle

Oracle Oracle MySQL Risk Matrix: Cluster: JS module (Node.js) — CVE-2021-22884↗2021-07-15

▶

Red Hat

nodejs: DNS rebinding in --inspect↗2021-02-18

▶

Debian

CVE-2021-22884: nodejs - Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to DNS rebin...↗2021

▶