Home > Vulnerability Database > CVE-2021-23386

Mend.io Vulnerability Database

CVE-2021-23386

Good to know:

Date: May 20, 2021

This affects the package dns-packet before 5.2.2. It creates buffers with allocUnsafe and does not always fill them before forming network packets. This can expose internal application memory over unencrypted network when querying crafted invalid domain names.

Language: JS

Severity Score

7.7

Related Resources (5)

Url: https://github.com/mafintosh/dns-packet/commit/25f15dd0fedc53688b25fd053ebbdffe3d5c1c56

Url: https://nvd.nist.gov/vuln/detail/CVE-2021-23386

Url: https://hackerone.com/bugs?subject=user&%3Breport_id=968858

Url: https://github.com/mafintosh/dns-packet/commit/0d0d593f8df4e2712c43957a6c62e95047f12b2d

Url: https://www.mend.io/vulnerability-database/CVE-2021-23386

Severity Score

7.7

Weakness Type (CWE)

Information Leak / Disclosure

CWE-200

Use of Uninitialized Resource

CWE-908

Missing Initialization of Resource

CWE-909

Top Fix

Upgrade Version

Upgrade to version dns-packet - 5.2.2

Learn More

CVSS v3.1

Base Score:	7.7
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	LOW
Availability (A):	LOW

CVSS v2

Base Score:	4.0
Access Vector (AV):	NETWORK
Access Complexity (AC):	LOW
Authentication (AU):	SINGLE
Confidentiality (C):	PARTIAL
Integrity (I):	NONE
Availability (A):	NONE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2021-23386

Good to know:

Date: May 20, 2021

Language: JS

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?