Vulnerability Description
This affects the package dns-packet before 5.2.2. It creates buffers with allocUnsafe and does not always fill them before forming network packets. This can expose internal application memory over unencrypted network when querying crafted invalid domain names.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Dns-Packet Project | Dns-Packet | < 1.3.4 |
Related Weaknesses (CWE)
References
- https://github.com/mafintosh/dns-packet/commit/25f15dd0fedc53688b25fd053ebbdffe3PatchThird Party Advisory
- https://hackerone.com/bugs?subject=user&%3Breport_id=968858Permissions RequiredThird Party Advisory
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1295719PatchThird Party Advisory
- https://snyk.io/vuln/SNYK-JS-DNSPACKET-1293563PatchThird Party Advisory
- https://github.com/mafintosh/dns-packet/commit/25f15dd0fedc53688b25fd053ebbdffe3PatchThird Party Advisory
- https://hackerone.com/bugs?subject=user&%3Breport_id=968858Permissions RequiredThird Party Advisory
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1295719PatchThird Party Advisory
- https://snyk.io/vuln/SNYK-JS-DNSPACKET-1293563PatchThird Party Advisory
FAQ
What is CVE-2021-23386?
CVE-2021-23386 is a vulnerability with a CVSS score of 7.7 (HIGH). This affects the package dns-packet before 5.2.2. It creates buffers with allocUnsafe and does not always fill them before forming network packets. This can expose internal application memory over une...
How severe is CVE-2021-23386?
CVE-2021-23386 has been rated HIGH with a CVSS base score of 7.7/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-23386?
Check the references section above for vendor advisories and patch information. Affected products include: Dns-Packet Project Dns-Packet.