CVE-2021-23386

This affects the package dns-packet before 5.2.2. It creates buffers with allocUnsafe and does not always fill them before forming network packets. This can expose internal application memory over unencrypted network when querying crafted invalid domain names.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.7 HIGH
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L
snykCNA
7.7 HIGH
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 52%
VendorProductVersion
dns-packet_projectdns-packet
𝑥
< 1.3.4
dns-packet_projectdns-packet
2.0.0 ≤
𝑥
< 5.2.2
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/mafintosh/dns-packet/commit/25f15dd0fedc53688b25fd053ebbdffe3d5c1c56
https://hackerone.com/bugs?subject=user&amp%3Breport_id=968858
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1295719
https://snyk.io/vuln/SNYK-JS-DNSPACKET-1293563
https://github.com/mafintosh/dns-packet/commit/25f15dd0fedc53688b25fd053ebbdffe3d5c1c56
https://hackerone.com/bugs?subject=user&amp%3Breport_id=968858
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1295719
https://snyk.io/vuln/SNYK-JS-DNSPACKET-1293563