Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXBjaDUtd2hnOS1xcjJy
netmask npm package mishandles octal input data
The netmask package before 2.0.1 for Node.js mishandles certain unexpected characters in an IP address string, such as an octal digit of 9. This (in some situations) allows attackers to bypass access control that is based on IP addresses. NOTE: this issue exists because of an incomplete fix for CVE-2021-28918.
Permalink: https://github.com/advisories/GHSA-pch5-whg9-qr2rJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXBjaDUtd2hnOS1xcjJy
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 3 years ago
Updated: 8 months ago
CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Identifiers: GHSA-pch5-whg9-qr2r, CVE-2021-29418
References:
- https://github.com/rs/node-netmask/commit/3f19a056c4eb808ea4a29f234274c67bc5a848f4
- https://sick.codes/sick-2021-011
- https://sick.codes/universal-netmask-npm-package-used-by-270000-projects-vulnerable-to-octal-input-data-server-side-request-forgery-remote-file-inclusion-local-file-inclusion-and-more-cve-2021-28918/
- https://www.npmjs.com/package/netmask
- https://nvd.nist.gov/vuln/detail/CVE-2021-29418
- https://vuln.ryotak.me/advisories/6
- https://security.netapp.com/advisory/ntap-20210604-0001/
- https://github.com/advisories/GHSA-pch5-whg9-qr2r
Blast Radius: 27.8
Affected Packages
npm:netmask
Dependent packages: 468Dependent repositories: 177,363
Downloads: 30,409,418 last month
Affected Version Ranges: < 2.0.1
Fixed in: 2.0.1
All affected versions: 0.0.0, 0.0.1, 0.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 2.0.0
All unaffected versions: 2.0.1, 2.0.2