CVE-2021-28918
Vulnerability from cvelistv5
Published
2021-04-01 12:33
Modified
2024-08-03 21:55
Severity ?
Summary
Improper input validation of octal strings in netmask npm package v1.0.6 and below allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many of the dependent packages. A remote unauthenticated attacker can bypass packages relying on netmask to filter IPs and reach critical VPN or LAN hosts.
References
cve@mitre.orghttps://github.com/advisories/GHSA-pch5-whg9-qr2rThird Party Advisory
cve@mitre.orghttps://github.com/rs/node-netmaskThird Party Advisory
cve@mitre.orghttps://github.com/sickcodes/security/blob/master/advisories/SICK-2021-011.mdExploit, Third Party Advisory
cve@mitre.orghttps://rootdaemon.com/2021/03/29/vulnerability-in-netmask-npm-package-affects-280000-projects/Third Party Advisory
cve@mitre.orghttps://security.netapp.com/advisory/ntap-20210528-0010/Third Party Advisory
cve@mitre.orghttps://www.bleepingcomputer.com/news/security/critical-netmask-networking-bug-impacts-thousands-of-applications/Exploit, Press/Media Coverage, Third Party Advisory
cve@mitre.orghttps://www.npmjs.com/package/netmaskProduct, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/advisories/GHSA-pch5-whg9-qr2rThird Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/rs/node-netmaskThird Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-011.mdExploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://rootdaemon.com/2021/03/29/vulnerability-in-netmask-npm-package-affects-280000-projects/Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://security.netapp.com/advisory/ntap-20210528-0010/Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.bleepingcomputer.com/news/security/critical-netmask-networking-bug-impacts-thousands-of-applications/Exploit, Press/Media Coverage, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.npmjs.com/package/netmaskProduct, Third Party Advisory
Impacted products
Vendor Product Version
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T21:55:11.828Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.npmjs.com/package/netmask"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/rs/node-netmask"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.bleepingcomputer.com/news/security/critical-netmask-networking-bug-impacts-thousands-of-applications/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/advisories/GHSA-pch5-whg9-qr2r"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-011.md"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20210528-0010/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://rootdaemon.com/2021/03/29/vulnerability-in-netmask-npm-package-affects-280000-projects/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Improper input validation of octal strings in netmask npm package v1.0.6 and below allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many of the dependent packages. A remote unauthenticated attacker can bypass packages relying on netmask to filter IPs and reach critical VPN or LAN hosts."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-12-30T15:18:56",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.npmjs.com/package/netmask"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/rs/node-netmask"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.bleepingcomputer.com/news/security/critical-netmask-networking-bug-impacts-thousands-of-applications/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/advisories/GHSA-pch5-whg9-qr2r"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-011.md"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20210528-0010/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://rootdaemon.com/2021/03/29/vulnerability-in-netmask-npm-package-affects-280000-projects/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2021-28918",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Improper input validation of octal strings in netmask npm package v1.0.6 and below allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many of the dependent packages. A remote unauthenticated attacker can bypass packages relying on netmask to filter IPs and reach critical VPN or LAN hosts."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.npmjs.com/package/netmask",
              "refsource": "MISC",
              "url": "https://www.npmjs.com/package/netmask"
            },
            {
              "name": "https://github.com/rs/node-netmask",
              "refsource": "MISC",
              "url": "https://github.com/rs/node-netmask"
            },
            {
              "name": "https://www.bleepingcomputer.com/news/security/critical-netmask-networking-bug-impacts-thousands-of-applications/",
              "refsource": "MISC",
              "url": "https://www.bleepingcomputer.com/news/security/critical-netmask-networking-bug-impacts-thousands-of-applications/"
            },
            {
              "name": "https://github.com/advisories/GHSA-pch5-whg9-qr2r",
              "refsource": "MISC",
              "url": "https://github.com/advisories/GHSA-pch5-whg9-qr2r"
            },
            {
              "name": "https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-011.md",
              "refsource": "MISC",
              "url": "https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-011.md"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20210528-0010/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20210528-0010/"
            },
            {
              "name": "https://rootdaemon.com/2021/03/29/vulnerability-in-netmask-npm-package-affects-280000-projects/",
              "refsource": "MISC",
              "url": "https://rootdaemon.com/2021/03/29/vulnerability-in-netmask-npm-package-affects-280000-projects/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2021-28918",
    "datePublished": "2021-04-01T12:33:50",
    "dateReserved": "2021-03-19T00:00:00",
    "dateUpdated": "2024-08-03T21:55:11.828Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-28918\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2021-04-01T13:15:14.460\",\"lastModified\":\"2024-11-21T06:00:23.850\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Improper input validation of octal strings in netmask npm package v1.0.6 and below allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many of the dependent packages. A remote unauthenticated attacker can bypass packages relying on netmask to filter IPs and reach critical VPN or LAN hosts.\"},{\"lang\":\"es\",\"value\":\"Una comprobaci\u00f3n inapropiada de entrada de cadenas octales en el paquete netmask npm versiones v1.0.6 y anteriores, permite a atacantes remotos no autenticados llevar a cabo ataques de tipo SSRF, RFI y LFI indeterminados en muchos de los paquetes dependientes.\u0026#xa0;Un atacante remoto no autenticado puede omitir unos paquetes que dependen de la m\u00e1scara de red para filtrar las direcciones IP y llegar a hosts cr\u00edticos de VPN o LAN.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":9.1,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":5.2}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:N\",\"baseScore\":6.4,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":4.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-704\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:netmask_project:netmask:*:*:*:*:*:node.js:*:*\",\"versionEndIncluding\":\"1.0.6\",\"matchCriteriaId\":\"1EDCEBC9-A043-4B75-BF02-1CA22DFA4E10\"}]}]}],\"references\":[{\"url\":\"https://github.com/advisories/GHSA-pch5-whg9-qr2r\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/rs/node-netmask\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-011.md\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://rootdaemon.com/2021/03/29/vulnerability-in-netmask-npm-package-affects-280000-projects/\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20210528-0010/\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.bleepingcomputer.com/news/security/critical-netmask-networking-bug-impacts-thousands-of-applications/\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Press/Media Coverage\",\"Third Party Advisory\"]},{\"url\":\"https://www.npmjs.com/package/netmask\",\"source\":\"cve@mitre.org\",\"tags\":[\"Product\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/advisories/GHSA-pch5-whg9-qr2r\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/rs/node-netmask\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-011.md\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://rootdaemon.com/2021/03/29/vulnerability-in-netmask-npm-package-affects-280000-projects/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20210528-0010/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.bleepingcomputer.com/news/security/critical-netmask-networking-bug-impacts-thousands-of-applications/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Press/Media Coverage\",\"Third Party Advisory\"]},{\"url\":\"https://www.npmjs.com/package/netmask\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Product\",\"Third Party Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.