IssueHuntCVE-2021-23386 (High) detected in dns-packet-1.3.1.tgz #94
whitesource-bolt-for-github[bot] posted onGitHub
CVE-2021-23386 - High Severity Vulnerability
<details><summary><img src='https://whitesource-resources.whitesourcesoftware.com/vulnerability_details.png' width=19 height=20> Vulnerable Library - <b>dns-packet-1.3.1.tgz</b></p></summary>
<p>An abstract-encoding compliant module for encoding / decoding DNS packets</p> <p>Library home page: <a href="https://registry.npmjs.org/dns-packet/-/dns-packet-1.3.1.tgz">https://registry.npmjs.org/dns-packet/-/dns-packet-1.3.1.tgz</a></p> <p>Path to dependency file: github-pages-vuepress/package.json</p> <p>Path to vulnerable library: github-pages-vuepress/node_modules/dns-packet</p> <p>
Dependency Hierarchy:
- vuepress-1.8.2.tgz (Root Library)
- core-1.8.2.tgz
- webpack-dev-server-3.11.0.tgz
- bonjour-3.5.0.tgz
- multicast-dns-6.2.3.tgz
- :x: dns-packet-1.3.1.tgz (Vulnerable Library)
<p>Found in HEAD commit: <a href="https://github.com/scriptex/github-pages-vuepress/commit/099829870746c54c9db0db07f31b2d46818ce173">099829870746c54c9db0db07f31b2d46818ce173</a></p> <p>Found in base branch: <b>master</b></p> </p> </details> <p></p> <details><summary><img src='https://whitesource-resources.whitesourcesoftware.com/high_vul.png' width=19 height=20> Vulnerability Details</summary> <p>
- :x: dns-packet-1.3.1.tgz (Vulnerable Library)
- multicast-dns-6.2.3.tgz
- bonjour-3.5.0.tgz
- webpack-dev-server-3.11.0.tgz
- core-1.8.2.tgz
This affects the package dns-packet before 5.2.2. It creates buffers with allocUnsafe and does not always fill them before forming network packets. This can expose internal application memory over unencrypted network when querying crafted invalid domain names.
<p>Publish Date: 2021-05-20 <p>URL: <a href=https://vuln.whitesourcesoftware.com/vulnerability/CVE-2021-23386>CVE-2021-23386</a></p> </p> </details> <p></p> <details><summary><img src='https://whitesource-resources.whitesourcesoftware.com/cvss3.png' width=19 height=20> CVSS 3 Score Details (<b>7.7</b>)</summary> <p>
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: Low
- Availability Impact: Low
</p> For more information on CVSS3 Scores, click <a href="https://www.first.org/cvss/calculator/3.0">here</a>. </p> </details> <p></p> <details><summary><img src='https://whitesource-resources.whitesourcesoftware.com/suggested_fix.png' width=19 height=20> Suggested Fix</summary> <p>
<p>Type: Upgrade version</p> <p>Origin: <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23386">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23386</a></p> <p>Release Date: 2021-05-20</p> <p>Fix Resolution: dns-packet - 5.2.2</p>
</p> </details> <p></p>
Step up your Open Source Security Game with WhiteSource here