CVE-2018-7160
17.05.2018, 14:29
The Node.js inspector, in 6.x and later is vulnerable to a DNS rebinding attack which could be exploited to perform remote code execution. An attack is possible from malicious websites open in a web browser on the same computer, or another computer with network access to the computer running the Node.js process. A malicious website could use a DNS rebinding attack to trick the web browser to bypass same-origin-policy checks and to allow HTTP connections to localhost or to hosts on the local network. If a Node.js process with the debug port active is running on localhost or on a host on the local network, the malicious website could connect to it as a debugger, and get full code execution access.Enginsight
| Vendor | Product | Version |
|---|---|---|
| nodejs | node.js | 6.0.0 ≤ 𝑥 ≤ 6.8.1 |
| nodejs | node.js | 6.9.0 ≤ 𝑥 < 6.14.0 |
| nodejs | node.js | 8.0.0 ≤ 𝑥 ≤ 8.8.1 |
| nodejs | node.js | 8.9.0 ≤ 𝑥 < 8.11.0 |
| nodejs | node.js | 9.0.0 ≤ 𝑥 < 9.10.0 |
𝑥
= Vulnerable software versions
Debian Releases
Ubuntu Releases
Ubuntu Product | |||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| nodejs |
|
Common Weakness Enumeration
- CWE-350 - Reliance on Reverse DNS Resolution for a Security-Critical ActionThe software performs reverse DNS resolution on an IP address to obtain the hostname and make a security decision, but it does not properly ensure that the IP address is truly associated with the hostname.
- CWE-290 - Authentication Bypass by SpoofingThis attack-focused weakness is caused by improperly implemented authentication schemes that are subject to spoofing attacks.
References