Home > Vulnerability Database > CVE-2021-22884

Mend.io Vulnerability Database

CVE-2021-22884

Good to know:

Date: March 3, 2021

Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to DNS rebinding attacks as the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the “localhost6” domain. As long as the attacker uses the “localhost6” domain, they can still apply the attack described in CVE-2018-7160.

Language: C++

Severity Score

7.5

Related Resources (21)

Url: https://www.oracle.com/security-alerts/cpuApr2021.html

Url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HSYFUGKFUSZ27M5TEZ3FKILWTWFJTFAZ/

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E4FRS5ZVK4ZQ7XIJQNGIKUXG2DJFHLO7/

Url: https://security-tracker.debian.org/tracker/CVE-2021-22884

Url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F45Y7TXSU33MTKB6AGL2Q5V5ZOCNPKOG/

Url: https://nvd.nist.gov/vuln/detail/CVE-2021-22884

Url: https://hackerone.com/reports/1069487

Url: https://security.netapp.com/advisory/ntap-20210723-0001/

Url: https://people.canonical.com/~ubuntu-security/cve/CVE-2021-22884

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F45Y7TXSU33MTKB6AGL2Q5V5ZOCNPKOG/

Url: https://access.redhat.com/security/cve/CVE-2021-22884

Url: https://security.netapp.com/advisory/ntap-20210416-0001/

Url: https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/#node-js-inspector-dns-rebinding-vulnerability-cve-2018-7160

Url: https://nodejs.org/en/blog/vulnerability/february-2021-security-releases/

Url: https://security.alpinelinux.org/vuln/CVE-2021-22884

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HSYFUGKFUSZ27M5TEZ3FKILWTWFJTFAZ/

Url: https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf

Url: https://www.oracle.com//security-alerts/cpujul2021.html

Url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E4FRS5ZVK4ZQ7XIJQNGIKUXG2DJFHLO7/

Url: https://www.oracle.com/security-alerts/cpuoct2021.html

Url: https://www.mend.io/vulnerability-database/CVE-2021-22884

Severity Score

7.5

Weakness Type (CWE)

Reliance on Reverse DNS Resolution for a Security-Critical Action

CWE-350

Top Fix

Upgrade Version

Upgrade to version 15.10.0, 14.16.0, 12.21.0, 10.24.0

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

CVSS v2

Base Score:	5.1
Access Vector (AV):	NETWORK
Access Complexity (AC):	HIGH
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	PARTIAL
Availability (A):	PARTIAL
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2021-22884

Good to know:

Date: March 3, 2021

Language: C++

Severity Score

Related Resources (21)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?