1. Home
  2. Vulnerabilities
  3. CVE-2021-22884

CVE-2021-22884

CVSS v3.1 7.5 (High)
75% Progress
CVSS v2.0 5.1 (Medium)
51% Progress
EPSS 0.54 % (78th)
0.54% Progress
Affected Products 13
Advisories 33
Info CVSS EPSS CAPEC Affected Configurations References Security Advisories Packages & Software OVAL Tools, Exploits & PoC Graph Web & Social Timeline

Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to DNS rebinding attacks as the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the “localhost6” domain. As long as the attacker uses the “localhost6” domain, they can still apply the attack described in CVE-2018-7160.

Weaknesses
CWE-350
Reliance on Reverse DNS Resolution for a Security-Critical Action
CWE-NVD-Other
Related CVEs
CVE Status
PUBLISHED
CNA
HackerOne
Published Date
2021-03-03 18:15:14
(3 years ago)
Updated Date
2023-11-07 03:30:27
(10 months ago)

Affected Products

Fedoraproject

Netapp

Nodejs

Oracle

Siemens

Configuration #1

    CPE23 From Up To
  Nodejs Node.js from 10.0.0 version and prior 10.24.0 version cpe:2.3:a:nodejs:node.js::*:*:*:lts >= 10.0.0 < 10.24.0
  Nodejs Node.js from 12.0.0 version and prior 12.21.0 version cpe:2.3:a:nodejs:node.js::*:*:*:lts >= 12.0.0 < 12.21.0
  Nodejs Node.js from 14.0.0 version and prior 14.16.0 version cpe:2.3:a:nodejs:node.js::*:*:*:lts >= 14.0.0 < 14.16.0
  Nodejs Node.js from 15.0.0 version and prior 15.10.0 version cpe:2.3:a:nodejs:node.js::*:*:*:- >= 15.0.0 < 15.10.0

Configuration #2

    CPE23 From Up To
  Fedoraproject Fedora 32 cpe:2.3:o:fedoraproject:fedora:32
  Fedoraproject Fedora 33 cpe:2.3:o:fedoraproject:fedora:33
  Fedoraproject Fedora 34 cpe:2.3:o:fedoraproject:fedora:34

Configuration #3

    CPE23 From Up To
  Netapp Active Iq Unified Manager for Vmware Vsphere cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere
  Netapp Active Iq Unified Manager for Windows cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows
  Netapp E-series Performance Analyzer cpe:2.3:a:netapp:e-series_performance_analyzer:-
  Netapp Oncommand Insight cpe:2.3:a:netapp:oncommand_insight:-
  Netapp Oncommand Workflow Automation cpe:2.3:a:netapp:oncommand_workflow_automation:-
  Netapp Snapcenter cpe:2.3:a:netapp:snapcenter:-

Configuration #4

    CPE23 From Up To
  Oracle Graalvm 19.3.5 cpe:2.3:a:oracle:graalvm:19.3.5:*:*:*:enterprise
  Oracle Graalvm 20.3.1.2 cpe:2.3:a:oracle:graalvm:20.3.1.2:*:*:*:enterprise
  Oracle Graalvm 21.0.0.2 cpe:2.3:a:oracle:graalvm:21.0.0.2:*:*:*:enterprise
  Oracle Jd Edwards Enterpriseone Tools prior 9.2.6.0 version cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools < 9.2.6.0
  Oracle Mysql Cluster 8.0.25 and prior versions cpe:2.3:a:oracle:mysql_cluster <= 8.0.25
  Oracle Nosql Database prior 20.3 version cpe:2.3:a:oracle:nosql_database < 20.3
  Oracle Peoplesoft Enterprise Peopletools 8.58 cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58
  Oracle Peoplesoft Enterprise Peopletools 8.59 cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59

Configuration #5

    CPE23 From Up To
  Siemens Sinec Infrastructure Network Services prior 1.0.1.1 version cpe:2.3:a:siemens:sinec_infrastructure_network_services < 1.0.1.1