Published: 03/03/2021 Updated: 07/11/2023

CVSS v2 Base Score: 5.1 | Impact Score: 6.4 | Exploitability Score: 4.9

CVSS v3 Base Score: 7.5 | Impact Score: 5.9 | Exploitability Score: 1.6

VMScore: 455

Vector: AV:N/AC:H/Au:N/C:P/I:P/A:P

Node.js prior to 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to DNS rebinding attacks as the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the “localhost6” domain. As long as the attacker uses the “localhost6” domain, they can still apply the attack described in CVE-2018-7160.

Vulnerable Product	Search on Vulmon	Subscribe to Product
nodejs node.js
fedoraproject fedora 32
fedoraproject fedora 33
fedoraproject fedora 34
netapp snapcenter -
netapp oncommand workflow automation -
netapp oncommand insight -
netapp active iq unified manager -
netapp e-series performance analyzer -
oracle peoplesoft enterprise peopletools 8.58
oracle graalvm 20.3.1.2
oracle graalvm 21.0.0.2
oracle graalvm 19.3.5
oracle nosql database
oracle mysql cluster
oracle peoplesoft enterprise peopletools 8.59
oracle jd edwards enterpriseone tools
siemens sinec infrastructure network services

Two vulnerabilities were discovered in Nodejs, which could result in denial of service or DNS rebinding attacks For the stable distribution (buster), these problems have been fixed in version 10240~dfsg-1~deb10u1 We recommend that you upgrade your nodejs packages For the detailed security status of nodejs please refer to its security tracker ...

Nodejs before versions 15100, 14160, 12210 and 10240 is vulnerable to denial of service attacks when the whitelist includes “localhost6” When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, ie, over network If the attacker controls the victim's DNS server or can spoof its respo ...

Multiple vulnerabilities have been found in Hitachi Ops Center Analyzer CVE-2020-8252, CVE-2020-8265, CVE-2021-22883, CVE-2021-22884 Affected products and versions are listed below Please upgrade your version to the appropriate version ...

Critical Infrastructure Sectors: Energy

NVD-CWE-Other https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/#node-js-inspector-dns-rebinding-vulnerability-cve-2018-7160 https://hackerone.com/reports/1069487 https://nodejs.org/en/blog/vulnerability/february-2021-security-releases/https://security.netapp.com/advisory/ntap-20210416-0001/https://www.oracle.com/security-alerts/cpuApr2021.html https://www.oracle.com//security-alerts/cpujul2021.html https://security.netapp.com/advisory/ntap-20210723-0001/https://www.oracle.com/security-alerts/cpuoct2021.html https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E4FRS5ZVK4ZQ7XIJQNGIKUXG2DJFHLO7/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F45Y7TXSU33MTKB6AGL2Q5V5ZOCNPKOG/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HSYFUGKFUSZ27M5TEZ3FKILWTWFJTFAZ/https://nvd.nist.gov https://www.debian.org/security/2021/dsa-4863 https://www.cisa.gov/uscert/ics/advisories/icsa-22-069-09

CVE-2021-22884

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

ICS Advisories

References

Vulmon Search

About

Products

Connect