HIGH✓ PATCH🇵🇱 Wersja polska

CVE-2021-22884

CVSS 7.5v3.1pub. 2021-03-03upd. 2024-11-21

Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to DNS rebinding attacks as the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the “localhost6” domain. As long as the attacker uses the “localhost6” domain, they can still apply the attack described in CVE-2018-7160.

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
  • Fedora Project Fedora

    OS
    Fedoraproject
    323334
  • Netapp Active Iq Unified Manager

    APP
    Netapp
    wszystkie wersje
  • Netapp E Series Performance Analyzer

    APP
    Netapp
    wszystkie wersje
  • Netapp Oncommand Insight

    APP
    Netapp
    wszystkie wersje
  • Netapp Oncommand Workflow Automation

    APP
    Netapp
    wszystkie wersje
  • Netapp Snapcenter

    APP
    Netapp
    wszystkie wersje
  • Node.js

    APP
    Nodejs
    10.0.0 – 10.24.0 (bez)12.0.0 – 12.21.0 (bez)14.0.0 – 14.16.0 (bez)15.0.0 – 15.10.0 (bez)
  • Oracle Graalvm

    APP
    Oracle
    19.3.520.3.1.221.0.0.2
  • Oracle Jd Edwards Enterpriseone Tools

    APP
    Oracle
    < 9.2.6.0
  • Oracle MySQL Cluster

    APP
    Oracle
    ≤ 8.0.25
  • Oracle Nosql Database

    APP
    Oracle
    < 20.3
  • Oracle Peoplesoft Enterprise Peopletools

    APP
    Oracle
    8.588.59
  • Siemens Sinec Infrastructure Network Services

    APP
    Siemens
    < 1.0.1.1
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
CWE
References

Related vulnerabilities

CVE-2026-35273CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Pominięcie uwierzytelnienia w Oracle PeopleSoft PeopleTools (RCE/Takeover)

CVE-2024-4577CRITICAL9.8⚠ KEVPL ✓ten sam produkt

PHP CGI argument injection – RCE na Windows przez mechanizm Best-Fit

CVE-2024-5274CRITICAL9.6⚠ KEVPL ✓ten sam produkt

Type Confusion w V8 (Google Chrome) — RCE przez spreparowaną stronę HTML

CVE-2024-4947CRITICAL9.6⚠ KEVPL ✓ten sam produkt

Type Confusion w silniku V8 Chrome — zdalne wykonanie kodu (RCE)

CVE-2024-4671CRITICAL9.6⚠ KEVPL ✓ten sam produkt

Use-after-free w Google Chrome Visuals umożliwiający ucieczkę z sandbox