Vulnerability Description
Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to DNS rebinding attacks as the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the “localhost6” domain. As long as the attacker uses the “localhost6” domain, they can still apply the attack described in CVE-2018-7160.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Nodejs | Node.Js | >= 10.0.0, < 10.24.0 |
| Fedoraproject | Fedora | 32 |
| Netapp | Active Iq Unified Manager | - |
| Netapp | E-Series Performance Analyzer | - |
| Netapp | Oncommand Insight | - |
| Netapp | Oncommand Workflow Automation | - |
| Netapp | Snapcenter | - |
| Oracle | Graalvm | 19.3.5 |
| Oracle | Jd Edwards Enterpriseone Tools | < 9.2.6.0 |
| Oracle | Mysql Cluster | <= 8.0.25 |
| Oracle | Nosql Database | < 20.3 |
| Oracle | Peoplesoft Enterprise Peopletools | 8.58 |
| Siemens | Sinec Infrastructure Network Services | < 1.0.1.1 |
Related Weaknesses (CWE)
References
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdfPatchThird Party Advisory
- https://hackerone.com/reports/1069487ExploitIssue TrackingThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://nodejs.org/en/blog/vulnerability/february-2021-security-releases/PatchRelease NotesVendor Advisory
- https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/#node-js-iPatchRelease NotesVendor Advisory
- https://security.netapp.com/advisory/ntap-20210416-0001/Third Party Advisory
- https://security.netapp.com/advisory/ntap-20210723-0001/Third Party Advisory
- https://www.oracle.com//security-alerts/cpujul2021.htmlPatchThird Party Advisory
- https://www.oracle.com/security-alerts/cpuApr2021.htmlPatchThird Party Advisory
- https://www.oracle.com/security-alerts/cpuoct2021.htmlPatchThird Party Advisory
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdfPatchThird Party Advisory
- https://hackerone.com/reports/1069487ExploitIssue TrackingThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
FAQ
What is CVE-2021-22884?
CVE-2021-22884 is a vulnerability with a CVSS score of 7.5 (HIGH). Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to DNS rebinding attacks as the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordin...
How severe is CVE-2021-22884?
CVE-2021-22884 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-22884?
Check the references section above for vendor advisories and patch information. Affected products include: Nodejs Node.Js, Fedoraproject Fedora, Netapp Active Iq Unified Manager, Netapp E-Series Performance Analyzer, Netapp Oncommand Insight.