CVE-2021-23386
Published May 20, 2021
Last updated 2 years ago
Overview
- Description
- This affects the package dns-packet before 5.2.2. It creates buffers with allocUnsafe and does not always fill them before forming network packets. This can expose internal application memory over unencrypted network when querying crafted invalid domain names.
- Source
- report@snyk.io
- NVD status
- Analyzed
Risk scores
CVSS 3.1
- Type
- Primary
- Base score
- 6.5
- Impact score
- 3.6
- Exploitability score
- 2.8
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
- Severity
- MEDIUM
CVSS 2.0
- Type
- Primary
- Base score
- 4
- Impact score
- 2.9
- Exploitability score
- 8
- Vector string
- AV:N/AC:L/Au:S/C:P/I:N/A:N
Weaknesses
- nvd@nist.gov
- CWE-909
Social media
- Hype score
- Not currently trending
Configurations
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dns-packet_project:dns-packet:*:*:*:*:*:node.js:*:*",
"vulnerable": true,
"matchCriteriaId": "762967F6-7E35-496E-B72E-4CDD935C42B8",
"versionEndExcluding": "1.3.4"
},
{
"criteria": "cpe:2.3:a:dns-packet_project:dns-packet:*:*:*:*:*:node.js:*:*",
"vulnerable": true,
"matchCriteriaId": "D5C4FFB0-2B90-4CDA-99CF-DE77EC8643CF",
"versionEndExcluding": "5.2.2",
"versionStartIncluding": "2.0.0"
}
],
"operator": "OR"
}
]
}
]