CVE-2021-28918 — CRITICAL (9.1)

Q: How severe is CVE-2021-28918?

CVE-2021-28918 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2021-28918?

Check the references section above for vendor advisories and patch information. Affected products include: Netmask Project Netmask.

Vulnerability Description

Improper input validation of octal strings in netmask npm package v1.0.6 and below allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many of the dependent packages. A remote unauthenticated attacker can bypass packages relying on netmask to filter IPs and reach critical VPN or LAN hosts.

CVSS Score

9.1

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Netmask Project	Netmask	<= 1.0.6

Related Weaknesses (CWE)

CWE-704

References

https://github.com/advisories/GHSA-pch5-whg9-qr2rThird Party Advisory
https://github.com/rs/node-netmaskThird Party Advisory
https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-011.mdExploitThird Party Advisory
https://rootdaemon.com/2021/03/29/vulnerability-in-netmask-npm-package-affects-2Third Party Advisory
https://security.netapp.com/advisory/ntap-20210528-0010/Third Party Advisory
https://www.bleepingcomputer.com/news/security/critical-netmask-networking-bug-iExploitPress/Media CoverageThird Party Advisory
https://www.npmjs.com/package/netmaskProductThird Party Advisory
https://github.com/advisories/GHSA-pch5-whg9-qr2rThird Party Advisory
https://github.com/rs/node-netmaskThird Party Advisory
https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-011.mdExploitThird Party Advisory
https://rootdaemon.com/2021/03/29/vulnerability-in-netmask-npm-package-affects-2Third Party Advisory
https://security.netapp.com/advisory/ntap-20210528-0010/Third Party Advisory
https://www.bleepingcomputer.com/news/security/critical-netmask-networking-bug-iExploitPress/Media CoverageThird Party Advisory
https://www.npmjs.com/package/netmaskProductThird Party Advisory

FAQ

What is CVE-2021-28918?

CVE-2021-28918 is a vulnerability with a CVSS score of 9.1 (CRITICAL). Improper input validation of octal strings in netmask npm package v1.0.6 and below allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many of the dependent ...

How severe is CVE-2021-28918?

CVE-2021-28918 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2021-28918?

Check the references section above for vendor advisories and patch information. Affected products include: Netmask Project Netmask.