CVE-2021-28918 – netmask

Package

Manager: npm
Name: netmask
Vulnerable Version: >=0 <1.1.0

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.85896 pctl0.99345

Details

Improper parsing of octal bytes in netmask Improper input validation of octal strings in netmask npm package v1.0.6 and below allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many of the dependent packages. A remote unauthenticated attacker can bypass packages relying on netmask to filter IPs and reach critical VPN or LAN hosts. :exclamation: NOTE: The fix for this issue was incomplete. A subsequent fix was made in version `2.0.1` which was assigned [CVE-2021-29418 / GHSA-pch5-whg9-qr2r](https://github.com/advisories/GHSA-pch5-whg9-qr2r). For complete protection from this vulnerability an upgrade to version 2.0.1 or later is recommended.

Metadata

Created: 2021-04-14T15:03:16Z
Modified: 2022-04-01T20:21:55Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-4c7m-wxvm-r7gc/GHSA-4c7m-wxvm-r7gc.json
CWE IDs: ["CWE-20"]
Alternative ID: GHSA-4c7m-wxvm-r7gc
Finding: F184
Auto approve: 1