Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTN3Y3EteDNtcS02cjlw
Potential memory exposure in dns-packet
This affects the package dns-packet before versions 1.3.2 and 5.2.2. It creates buffers with allocUnsafe and does not always fill them before forming network packets. This can expose internal application memory over unencrypted network when querying crafted invalid domain names.
Permalink: https://github.com/advisories/GHSA-3wcq-x3mq-6r9pJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTN3Y3EteDNtcS02cjlw
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 3 years ago
Updated: 11 months ago
CVSS Score: 7.7
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L
Identifiers: GHSA-3wcq-x3mq-6r9p, CVE-2021-23386
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-23386
- https://github.com/mafintosh/dns-packet/commit/25f15dd0fedc53688b25fd053ebbdffe3d5c1c56
- https://hackerone.com/bugs?subject=user&%3Breport_id=968858
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1295719
- https://snyk.io/vuln/SNYK-JS-DNSPACKET-1293563
- https://github.com/mafintosh/dns-packet/commit/0d0d593f8df4e2712c43957a6c62e95047f12b2d
- https://github.com/advisories/GHSA-3wcq-x3mq-6r9p
Blast Radius: 49.8
Affected Packages
npm:dns-packet
Dependent packages: 535Dependent repositories: 2,905,460
Downloads: 48,251,240 last month
Affected Version Ranges: >= 2.0.0, < 5.2.2, < 1.3.2
Fixed in: 5.2.2, 1.3.2
All affected versions: 1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.1.1, 1.2.0, 1.2.1, 1.2.2, 1.3.0, 1.3.1, 2.0.0, 3.0.0, 3.0.1, 4.0.0, 4.1.0, 4.1.1, 4.2.0, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.1.0, 5.1.1, 5.1.2, 5.2.0, 5.2.1
All unaffected versions: 1.3.2, 1.3.3, 1.3.4, 5.2.2, 5.2.3, 5.2.4, 5.3.0, 5.3.1, 5.4.0, 5.5.0, 5.6.0, 5.6.1