CVE-2018-7160

EPSS 1.5%
Veröffentlicht 17.05.2018 14:29:00
Zuletzt bearbeitet 21.11.2024 04:11:42
Quelle cve-request@iojs.org
CVE-Watchlists
Login
Unerledigt
Login

The Node.js inspector, in 6.x and later is vulnerable to a DNS rebinding attack which could be exploited to perform remote code execution. An attack is possible from malicious websites open in a web browser on the same computer, or another computer with network access to the computer running the Node.js process. A malicious website could use a DNS rebinding attack to trick the web browser to bypass same-origin-policy checks and to allow HTTP connections to localhost or to hosts on the local network. If a Node.js process with the debug port active is running on localhost or on a host on the local network, the malicious website could connect to it as a debugger, and get full code execution access.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Nodejs ≫ Node.Js SwEdition- Version >= 6.0.0 <= 6.8.1

Nodejs ≫ Node.Js SwEditionlts Version >= 6.9.0 < 6.14.0

Nodejs ≫ Node.Js SwEdition- Version >= 8.0.0 <= 8.8.1

Nodejs ≫ Node.Js SwEditionlts Version >= 8.9.0 < 8.11.0

Nodejs ≫ Node.Js SwEdition- Version >= 9.0.0 < 9.10.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1.5%	0.806

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvd@nist.gov	6.8	8.6	6.4	AV:N/AC:M/Au:N/C:P/I:P/A:P

CWE-290 Authentication Bypass by Spoofing

This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.

CWE-350 Reliance on Reverse DNS Resolution for a Security-Critical Action

The product performs reverse DNS resolution on an IP address to obtain the hostname and make a security decision, but it does not properly ensure that the IP address is truly associated with the hostname.

https://www.oracle.com//security-alerts/cpujul2021.html

Third Party Advisory

https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/

Vendor Advisory

https://support.f5.com/csp/article/K63025104?utm_source=f5support&amp%3Butm_medium=RSS

https://nvd.nist.gov/vuln/detail/CVE-2018-7160

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2018-7160

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2018-7160

EUVD