Improper input validation of octal strings in netmask npm package v1.0.6 and below allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many of the dependent packages. A remote unauthenticated attacker can bypass packages relying on netmask to filter IPs and reach critical VPN or LAN hosts.
References
Link | Resource |
---|---|
https://github.com/advisories/GHSA-pch5-whg9-qr2r | Third Party Advisory |
https://github.com/rs/node-netmask | Third Party Advisory |
https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-011.md | Exploit Third Party Advisory |
https://rootdaemon.com/2021/03/29/vulnerability-in-netmask-npm-package-affects-280000-projects/ | Third Party Advisory |
https://security.netapp.com/advisory/ntap-20210528-0010/ | Third Party Advisory |
https://www.bleepingcomputer.com/news/security/critical-netmask-networking-bug-impacts-thousands-of-applications/ | Exploit Press/Media Coverage Third Party Advisory |
https://www.npmjs.com/package/netmask | Product Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2021-04-01T12:33:50
Updated: 2021-12-30T15:18:56
Reserved: 2021-03-19T00:00:00
Link: CVE-2021-28918
JSON object: View
NVD Information
Status : Analyzed
Published: 2021-04-01T13:15:14.460
Modified: 2023-08-08T14:22:24.967
Link: CVE-2021-28918
JSON object: View
Redhat Information
No data.
CWE