Skip to content

Fix CVE–2021–28918 #44

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
debricked wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Fix CVE–2021–28918 #44

debricked wants to merge 1 commit into from

Conversation

@debricked
Copy link

@debricked debricked bot commented Nov 23, 2022

CVE–2021–28918

Vulnerability details

Description

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

GitHub

Improper parsing of octal bytes in netmask

Improper input validation of octal strings in netmask npm package v1.0.6 and below allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many of the dependent packages. A remote unauthenticated attacker can bypass packages relying on netmask to filter IPs and reach critical VPN or LAN hosts.

❗ NOTE: The fix for this issue was incomplete. A subsequent fix was made in version 2.0.1 which was assigned CVE-2021-29418 / GHSA-pch5-whg9-qr2r. For complete protection from this vulnerability an upgrade to version 2.0.1 or later is recommended.

NVD

Improper input validation of octal strings in netmask npm package v1.0.6 and below allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many of the dependent packages. A remote unauthenticated attacker can bypass packages relying on netmask to filter IPs and reach critical VPN or LAN hosts.

CVSS details - 9.1

 

CVSS3 metrics
Attack Vector Network
Attack Complexity Low
Privileges Required None
User interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability None
References

    Improper parsing of octal bytes in netmask · CVE-2021-28918 · GitHub Advisory Database · GitHub
    NVD - CVE-2021-28918
    GitHub - rs/node-netmask: Parse and lookup IP network blocks
    security/SICK-2021-011.md at master · sickcodes/security · GitHub
    Critical netmask networking bug impacts thousands of applications
    netmask - npm
    CVE-2021-28918 Node.js Vulnerability in NetApp Products | NetApp Product Security
    netmask npm package vulnerable to octal input data · CVE-2021-29418 · GitHub Advisory Database · GitHub
    Vulnerability in ‘netmask’ npm Package Affects 280,000 Projects
    node-netmask/CHANGELOG.md at 98294cb20695f2c6c36219a4fbcd4744fb8d0682 · rs/node-netmask · GitHub

 

Related information

📌 Remember! Check the changes to ensure they don't introduce any breaking changes.
📚 Read more about the CVE

 

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant