Free and open-source vulnerability scanner

Mageni eases for you the vulnerability scanning, assessment, and management process. It is free and open-source.

Install Now

Available for macOS, Windows, and Linux

App screenshot

CVE-2021-22884

CVE information

Published

3 years ago

Last Modified

4 months ago

CVSSv2.0 Severity

Medium

CVSSv3.1 Severity

High

Impact Analysis

Description

Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to DNS rebinding attacks as the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the “localhost6” domain. As long as the attacker uses the “localhost6” domain, they can still apply the attack described in CVE-2018-7160..

CVSSv2.0 Score

Severity
Medium
Base Score
5.1/10
Exploit Score
4.9/10
Access Vector
Network
Access Complexity
High
Authentication Required
None
Impact Score
6.4/10
Confidentiality Impact
Partial
Availability Impact
Partial
Integrity Impact
Partial

CVSSv3.1 Score

Severity
High
Base Score
7.5/10
Exploit Score
1.6/10
Access Vector
Network
Access Complexity
High
Privileges Required
None
Impact Score
5.9/10
Confidentiality Impact
High
Availability Impact
High
Integrity Impact
High
Scope
Unchanged
User Interaction
Required

Products Affected

CPE Affected Vulnerable Excluding Edit
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
  Yes
15.0.0 15.10.0
cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*
  Yes
14.0.0 14.16.0
cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*
  Yes
12.0.0 12.21.0
cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*
  Yes
10.0.0 10.24.0
cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
  Yes
- -
cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
  Yes
- -
cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
  Yes
- -
cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*
  Yes
- -
cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*
  Yes
- -
cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*
  Yes
- -
cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_
  Yes
- -
cpe:2.3:a:netapp:e-series_performance_analyzer:-:*:*:*:*:*:*
  Yes
- -
cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows
  Yes
- -
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:
  Yes
- -
cpe:2.3:a:oracle:graalvm:20.3.1.2:*:*:*:enterprise:*:*:*
  Yes
- -
cpe:2.3:a:oracle:graalvm:21.0.0.2:*:*:*:enterprise:*:*:*
  Yes
- -
cpe:2.3:a:oracle:graalvm:19.3.5:*:*:*:enterprise:*:*:*
  Yes
- -
cpe:2.3:a:oracle:nosql_database:*:*:*:*:*:*:*:*
  Yes
- 20.3
cpe:2.3:a:oracle:mysql_cluster:*:*:*:*:*:*:*:*
  Yes
- -
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:
  Yes
- -
cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:
  Yes
- 9.2.6.0
cpe:2.3:a:siemens:sinec_infrastructure_network_services:*:*:
  Yes
- 1.0.1.1