cnvd - cnvd-2021-37767

cnvd-2021-37767

Vulnerability from cnvd

Title: nodejs输入验证错误漏洞

Description:

nodejs是一个基于ChromeV8引擎的JavaScript运行环境通过对Chromev8引擎进行了封装以及使用事件驱动和非阻塞IO的应用让Javascript开发高性能的后台应用成为了可能。

Node.js netmask Octal Input Data 存在输入验证错误漏洞，攻击者可利用该漏洞输入数据触发跨站请求伪造，以迫使受害者执行操作。

Severity: 中

Patch Name: nodejs输入验证错误漏洞的补丁

Patch Description:

Node.js netmask Octal Input Data 存在输入验证错误漏洞，攻击者可利用该漏洞输入数据触发跨站请求伪造，以迫使受害者执行操作。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://www.npmjs.com/advisories/1658

Reference: https://nvd.nist.gov/vuln/detail/CVE-2021-28918

Impacted products

Name
nodejs nodejs <=v1.0.6

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-28918"
    }
  },
  "description": "nodejs\u662f\u4e00\u4e2a\u57fa\u4e8eChromeV8\u5f15\u64ce\u7684JavaScript\u8fd0\u884c\u73af\u5883\u901a\u8fc7\u5bf9Chromev8\u5f15\u64ce\u8fdb\u884c\u4e86\u5c01\u88c5\u4ee5\u53ca\u4f7f\u7528\u4e8b\u4ef6\u9a71\u52a8\u548c\u975e\u963b\u585eIO\u7684\u5e94\u7528\u8ba9Javascript\u5f00\u53d1\u9ad8\u6027\u80fd\u7684\u540e\u53f0\u5e94\u7528\u6210\u4e3a\u4e86\u53ef\u80fd\u3002\n\nNode.js netmask Octal Input Data \u5b58\u5728\u8f93\u5165\u9a8c\u8bc1\u9519\u8bef\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u8f93\u5165\u6570\u636e\u89e6\u53d1\u8de8\u7ad9\u8bf7\u6c42\u4f2a\u9020\uff0c\u4ee5\u8feb\u4f7f\u53d7\u5bb3\u8005\u6267\u884c\u64cd\u4f5c\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://www.npmjs.com/advisories/1658",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-37767",
  "openTime": "2021-05-28",
  "patchDescription": "nodejs\u662f\u4e00\u4e2a\u57fa\u4e8eChromeV8\u5f15\u64ce\u7684JavaScript\u8fd0\u884c\u73af\u5883\u901a\u8fc7\u5bf9Chromev8\u5f15\u64ce\u8fdb\u884c\u4e86\u5c01\u88c5\u4ee5\u53ca\u4f7f\u7528\u4e8b\u4ef6\u9a71\u52a8\u548c\u975e\u963b\u585eIO\u7684\u5e94\u7528\u8ba9Javascript\u5f00\u53d1\u9ad8\u6027\u80fd\u7684\u540e\u53f0\u5e94\u7528\u6210\u4e3a\u4e86\u53ef\u80fd\u3002\r\n\r\nNode.js netmask Octal Input Data \u5b58\u5728\u8f93\u5165\u9a8c\u8bc1\u9519\u8bef\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u8f93\u5165\u6570\u636e\u89e6\u53d1\u8de8\u7ad9\u8bf7\u6c42\u4f2a\u9020\uff0c\u4ee5\u8feb\u4f7f\u53d7\u5bb3\u8005\u6267\u884c\u64cd\u4f5c\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "nodejs\u8f93\u5165\u9a8c\u8bc1\u9519\u8bef\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "nodejs nodejs \u003c=v1.0.6"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2021-28918",
  "serverity": "\u4e2d",
  "submitTime": "2021-04-06",
  "title": "nodejs\u8f93\u5165\u9a8c\u8bc1\u9519\u8bef\u6f0f\u6d1e"
}

CVE-2021-28918 (GCVE-0-2021-28918)

Vulnerability from cvelistv5

Published

2021-04-01 12:33

Modified

2024-08-03 21:55

Severity ?

CWE

Summary

Improper input validation of octal strings in netmask npm package v1.0.6 and below allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many of the dependent packages. A remote unauthenticated attacker can bypass packages relying on netmask to filter IPs and reach critical VPN or LAN hosts.

References

▼	URL	Tags
	https://www.npmjs.com/package/netmask	x_refsource_MISC
	https://github.com/rs/node-netmask	x_refsource_MISC
	https://www.bleepingcomputer.com/news/security/critical-netmask-networking-bug-impacts-thousands-of-applications/	x_refsource_MISC
	https://github.com/advisories/GHSA-pch5-whg9-qr2r	x_refsource_MISC
	https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-011.md	x_refsource_MISC
	https://security.netapp.com/advisory/ntap-20210528-0010/	x_refsource_CONFIRM
	https://rootdaemon.com/2021/03/29/vulnerability-in-netmask-npm-package-affects-280000-projects/	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T21:55:11.828Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.npmjs.com/package/netmask"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/rs/node-netmask"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.bleepingcomputer.com/news/security/critical-netmask-networking-bug-impacts-thousands-of-applications/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/advisories/GHSA-pch5-whg9-qr2r"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-011.md"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20210528-0010/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://rootdaemon.com/2021/03/29/vulnerability-in-netmask-npm-package-affects-280000-projects/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Improper input validation of octal strings in netmask npm package v1.0.6 and below allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many of the dependent packages. A remote unauthenticated attacker can bypass packages relying on netmask to filter IPs and reach critical VPN or LAN hosts."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-12-30T15:18:56",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.npmjs.com/package/netmask"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/rs/node-netmask"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.bleepingcomputer.com/news/security/critical-netmask-networking-bug-impacts-thousands-of-applications/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/advisories/GHSA-pch5-whg9-qr2r"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-011.md"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20210528-0010/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://rootdaemon.com/2021/03/29/vulnerability-in-netmask-npm-package-affects-280000-projects/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2021-28918",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Improper input validation of octal strings in netmask npm package v1.0.6 and below allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many of the dependent packages. A remote unauthenticated attacker can bypass packages relying on netmask to filter IPs and reach critical VPN or LAN hosts."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.npmjs.com/package/netmask",
              "refsource": "MISC",
              "url": "https://www.npmjs.com/package/netmask"
            },
            {
              "name": "https://github.com/rs/node-netmask",
              "refsource": "MISC",
              "url": "https://github.com/rs/node-netmask"
            },
            {
              "name": "https://www.bleepingcomputer.com/news/security/critical-netmask-networking-bug-impacts-thousands-of-applications/",
              "refsource": "MISC",
              "url": "https://www.bleepingcomputer.com/news/security/critical-netmask-networking-bug-impacts-thousands-of-applications/"
            },
            {
              "name": "https://github.com/advisories/GHSA-pch5-whg9-qr2r",
              "refsource": "MISC",
              "url": "https://github.com/advisories/GHSA-pch5-whg9-qr2r"
            },
            {
              "name": "https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-011.md",
              "refsource": "MISC",
              "url": "https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-011.md"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20210528-0010/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20210528-0010/"
            },
            {
              "name": "https://rootdaemon.com/2021/03/29/vulnerability-in-netmask-npm-package-affects-280000-projects/",
              "refsource": "MISC",
              "url": "https://rootdaemon.com/2021/03/29/vulnerability-in-netmask-npm-package-affects-280000-projects/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2021-28918",
    "datePublished": "2021-04-01T12:33:50",
    "dateReserved": "2021-03-19T00:00:00",
    "dateUpdated": "2024-08-03T21:55:11.828Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted