CVE-2021-23386

medium

Description

This affects the package dns-packet before 5.2.2. It creates buffers with allocUnsafe and does not always fill them before forming network packets. This can expose internal application memory over unencrypted network when querying crafted invalid domain names.

References

Advisories

https://snyk.io/vuln/SNYK-JS-DNSPACKET-1293563

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1295719

https://hackerone.com/bugs?subject=user&amp%3Breport_id=968858

https://github.com/mafintosh/dns-packet/commit/25f15dd0fedc53688b25fd053ebbdffe3d5c1c56

Details

Source: Mitre, NVD

Published: 2021-05-20

Updated: 2024-11-21

Risk Information

CVSS v2

Base Score: 4

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Severity: Medium

EPSS

EPSS: 0.00826