Acunetix DAST powers runtime capabilities for Invicti’s complete AppSec platform. Visit Invicti for more.

WEB APPLICATION VULNERABILITIES SCA (Software Composition Analysis)

CVE-2021-23386 Vulnerability in npm package dns-packet

Description

This affects the package dns-packet before 5.2.2. It creates buffers with allocUnsafe and does not always fill them before forming network packets. This can expose internal application memory over unencrypted network when querying crafted invalid domain names.

Remediation

References

https://github.com/mafintosh/dns-packet/commit/25f15dd0fedc53688b25fd053ebbdffe3d5c1c56

https://hackerone.com/bugs?subject=user&amp%3Breport_id=968858

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1295719

https://snyk.io/vuln/SNYK-JS-DNSPACKET-1293563

Related Vulnerabilities

CVE-2023-40014 Vulnerability in npm package @openzeppelin/contracts-upgradeable

CVE-2023-38698 Vulnerability in npm package @ensdomains/ens-contracts

CVE-2022-36045 Vulnerability in npm package nodebb

CVE-2020-7709 Vulnerability in maven package org.webjars.npm:json-pointer

CVE-2022-23712 Vulnerability in maven package org.elasticsearch:elasticsearch

Severity

High

Classification

CWE-909 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Patch Third Party Advisory Permissions Required