← Back to CVEs
CVE-2021-23386
HIGH7.7
Description
This affects the package dns-packet before 5.2.2. It creates buffers with allocUnsafe and does not always fill them before forming network packets. This can expose internal application memory over unencrypted network when querying crafted invalid domain names.
CVE Details
CVSS v3.1 Score7.7
SeverityHIGH
CVSS VectorCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L
Attack VectorNETWORK
ComplexityHIGH
Privileges RequiredLOW
User InteractionNONE
Published5/20/2021
Last Modified11/21/2024
Sourcenvd
Honeypot Sightings0
Affected Products
dns-packet_project:dns-packet
Weaknesses (CWE)
CWE-909
References
https://github.com/mafintosh/dns-packet/commit/25f15dd0fedc53688b25fd053ebbdffe3d5c1c56(report@snyk.io)
https://hackerone.com/bugs?subject=user&%3Breport_id=968858(report@snyk.io)
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1295719(report@snyk.io)
https://snyk.io/vuln/SNYK-JS-DNSPACKET-1293563(report@snyk.io)
https://github.com/mafintosh/dns-packet/commit/25f15dd0fedc53688b25fd053ebbdffe3d5c1c56(af854a3a-2127-422b-91ae-364da2661108)
https://hackerone.com/bugs?subject=user&%3Breport_id=968858(af854a3a-2127-422b-91ae-364da2661108)
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1295719(af854a3a-2127-422b-91ae-364da2661108)
https://snyk.io/vuln/SNYK-JS-DNSPACKET-1293563(af854a3a-2127-422b-91ae-364da2661108)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.