Description
This affects the package dns-packet before 5.2.2. It creates buffers with allocUnsafe and does not always fill them before forming network packets. This can expose internal application memory over unencrypted network when querying crafted invalid domain names.
Remediation
References
https://github.com/mafintosh/dns-packet/commit/25f15dd0fedc53688b25fd053ebbdffe3d5c1c56
https://hackerone.com/bugs?subject=user&%3Breport_id=968858
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1295719
https://snyk.io/vuln/SNYK-JS-DNSPACKET-1293563
Related Vulnerabilities
CVE-2020-36049 Vulnerability in maven package org.webjars.npm:socket.io-parser
CVE-2018-9206 Vulnerability in maven package org.webjars.bower:blueimp-file-upload
CVE-2016-1000339 Vulnerability in maven package org.bouncycastle:bcprov-jdk15on
CVE-2012-3546 Vulnerability in maven package org.apache.tomcat:tomcat-catalina
CVE-2023-33831 Vulnerability in npm package @frangoteam/fuxa