CVE-2021-28918

{"id": "CVE-2021-28918", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.4, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 4.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 3.9}]}, "published": "2021-04-01T13:15:14.460", "references": [{"url": "https://github.com/advisories/GHSA-pch5-whg9-qr2r", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/rs/node-netmask", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-011.md", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://rootdaemon.com/2021/03/29/vulnerability-in-netmask-npm-package-affects-280000-projects/", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://security.netapp.com/advisory/ntap-20210528-0010/", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.bleepingcomputer.com/news/security/critical-netmask-networking-bug-impacts-thousands-of-applications/", "tags": ["Exploit", "Press/Media Coverage", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.npmjs.com/package/netmask", "tags": ["Product", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/advisories/GHSA-pch5-whg9-qr2r", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/rs/node-netmask", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-011.md", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://rootdaemon.com/2021/03/29/vulnerability-in-netmask-npm-package-affects-280000-projects/", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://security.netapp.com/advisory/ntap-20210528-0010/", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.bleepingcomputer.com/news/security/critical-netmask-networking-bug-impacts-thousands-of-applications/", "tags": ["Exploit", "Press/Media Coverage", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.npmjs.com/package/netmask", "tags": ["Product", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-704"}]}], "descriptions": [{"lang": "en", "value": "Improper input validation of octal strings in netmask npm package v1.0.6 and below allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many of the dependent packages. A remote unauthenticated attacker can bypass packages relying on netmask to filter IPs and reach critical VPN or LAN hosts."}, {"lang": "es", "value": "Una comprobaci\u00f3n inapropiada de entrada de cadenas octales en el paquete netmask npm versiones v1.0.6 y anteriores, permite a atacantes remotos no autenticados llevar a cabo ataques de tipo SSRF, RFI y LFI indeterminados en muchos de los paquetes dependientes. Un atacante remoto no autenticado puede omitir unos paquetes que dependen de la m\u00e1scara de red para filtrar las direcciones IP y llegar a hosts cr\u00edticos de VPN o LAN."}], "lastModified": "2024-11-21T06:00:23.850", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:netmask_project:netmask:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "1EDCEBC9-A043-4B75-BF02-1CA22DFA4E10", "versionEndIncluding": "1.0.6"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}