CVE-2018-7160 – node-inspector

Package

Manager: npm
Name: node-inspector
Vulnerable Version: <0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.01088 pctl0.77079

Details

Withdrawn Advisory: Node.js Inspector RCE via DNS Rebinding ## Withdrawn Advisory This advisory has been withdrawn because this vulnerability affects inspector code in https://github.com/nodejs/node, not the [legacy debugger](https://nodejs.org/en/docs/inspector#legacy-debugger) at https://github.com/node-inspector/node-inspector. https://github.com/nodejs/node is not in a [supported ecosystem](https://github.com/github/advisory-database/blob/main/README.md#supported-ecosystems). ## Original Description The Node.js inspector, in 6.x and later is vulnerable to a DNS rebinding attack which could be exploited to perform remote code execution. An attack is possible from malicious websites open in a web browser on the same computer, or another computer with network access to the computer running the Node.js process. A malicious website could use a DNS rebinding attack to trick the web browser to bypass same-origin-policy checks and to allow HTTP connections to localhost or to hosts on the local network. If a Node.js process with the debug port active is running on localhost or on a host on the local network, the malicious website could connect to it as a debugger, and get full code execution access.

Metadata

Created: 2022-05-13T01:08:23Z
Modified: 2023-10-09T00:42:54Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-wq4c-wm6x-jw44/GHSA-wq4c-wm6x-jw44.json
CWE IDs: ["CWE-290"]
Alternative ID: GHSA-wq4c-wm6x-jw44
Finding: N/A
Auto approve: 0