CVE-2021-29418
published 2021-03-30CVE-2021-29418: The netmask package before 2.0.1 for Node.js mishandles certain unexpected characters in an IP address string, such as an octal digit of 9. This (in some…
PriorityP429medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
EPSS
1.68%
74.1th percentile
The netmask package before 2.0.1 for Node.js mishandles certain unexpected characters in an IP address string, such as an octal digit of 9. This (in some situations) allows attackers to bypass access control that is based on IP addresses. NOTE: this issue exists because of an incomplete fix for CVE-2021-28918.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| netmask_project | netmask | < 2.0.1 | 2.0.1 |
| netmask_project | netmask | >= 0 < 1.1.0 | 1.1.0 |
| netmask_project | netmask | >= 0 < 2.0.1 | 2.0.1 |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
ghsa9.1CRITICAL
osv9.1CRITICAL
vendor_redhat9.1CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Improper parsing of octal bytes in netmask
osv·2021-04-14·CVSS 5.3
CVE-2021-28918 [MEDIUM] Improper parsing of octal bytes in netmask
Improper parsing of octal bytes in netmask
Improper input validation of octal strings in netmask npm package v1.0.6 and below allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many of the dependent packages. A remote unauthenticated attacker can bypass packages relying on netmask to filter IPs and reach critical VPN or LAN hosts.
:exclamation: NOTE: The fix for this issue was incomplete. A subsequent fix was made in version `2.0.1` which was assigned [CVE-2021-29418 / GHSA-pch5-whg9-qr2r](https://github.com/advisories/GHSA-pch5-whg9-qr2r). For complete protection from this vulnerability an upgrade to version 2.0.1 or later is recommended.
GHSA
Improper parsing of octal bytes in netmask
ghsa·2021-04-14·CVSS 5.3
CVE-2021-28918 [MEDIUM] CWE-20 Improper parsing of octal bytes in netmask
Improper parsing of octal bytes in netmask
Improper input validation of octal strings in netmask npm package v1.0.6 and below allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many of the dependent packages. A remote unauthenticated attacker can bypass packages relying on netmask to filter IPs and reach critical VPN or LAN hosts.
:exclamation: NOTE: The fix for this issue was incomplete. A subsequent fix was made in version `2.0.1` which was assigned [CVE-2021-29418 / GHSA-pch5-whg9-qr2r](https://github.com/advisories/GHSA-pch5-whg9-qr2r). For complete protection from this vulnerability an upgrade to version 2.0.1 or later is recommended.
OSV
netmask npm package mishandles octal input data
osv·2021-03-29·CVSS 9.1
CVE-2021-29418 [CRITICAL] netmask npm package mishandles octal input data
netmask npm package mishandles octal input data
The netmask package before 2.0.1 for Node.js mishandles certain unexpected characters in an IP address string, such as an octal digit of 9. This (in some situations) allows attackers to bypass access control that is based on IP addresses. NOTE: this issue exists because of an incomplete fix for CVE-2021-28918.
GHSA
netmask npm package mishandles octal input data
ghsa·2021-03-29·CVSS 9.1
CVE-2021-29418 [CRITICAL] CWE-20 netmask npm package mishandles octal input data
netmask npm package mishandles octal input data
The netmask package before 2.0.1 for Node.js mishandles certain unexpected characters in an IP address string, such as an octal digit of 9. This (in some situations) allows attackers to bypass access control that is based on IP addresses. NOTE: this issue exists because of an incomplete fix for CVE-2021-28918.
Red Hat
nodejs-netmask: incorrectly parses an IP address that has octal integer with invalid character
vendor_redhat·2021-03-29·CVSS 9.1
CVE-2021-29418 [CRITICAL] CWE-20 nodejs-netmask: incorrectly parses an IP address that has octal integer with invalid character
nodejs-netmask: incorrectly parses an IP address that has octal integer with invalid character
The netmask package before 2.0.1 for Node.js mishandles certain unexpected characters in an IP address string, such as an octal digit of 9. This (in some situations) allows attackers to bypass access control that is based on IP addresses. NOTE: this issue exists because of an incomplete fix for CVE-2021-28918.
Statement: The impact of this flaw largely depends on the environment where the affected library is being used. This flaw could be used to redirect an adversary to an exposed, unprotected endpoint. Depending on the functionality of the affected endpoint that could result in a loss of confidentiality, integrity and availability. The affected library is used in Red Hat Advanced Cluster Mana
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/rs/node-netmask/commit/3f19a056c4eb808ea4a29f234274c67bc5a848f4https://security.netapp.com/advisory/ntap-20210604-0001/https://vuln.ryotak.me/advisories/6https://github.com/rs/node-netmask/commit/3f19a056c4eb808ea4a29f234274c67bc5a848f4https://security.netapp.com/advisory/ntap-20210604-0001/https://vuln.ryotak.me/advisories/6
2021-03-30
Published