node is vulnerable to OS Command Injection. The vulnerability exists due to the insufficient sanitizations in IsIPAddress
function of inspector_socket.cc
, which allows an attacker to gain control of the victim’s router by performing DNS rebinding attacks via DBS requests.
cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7160
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22884
github.com/advisories/GHSA-w95h-2gj2-x2p4
github.com/nodejs/node/commit/48c5aa5cab718d04473fa2761d532657c84b8131
github.com/nodejs/node/commit/754c9bfde06d17b37832f19b32e596f9e2ee69e3
github.com/nodejs/node/commit/e4af5eba957d23dc47497519cb9253dd2dccbeda
hackerone.com/reports/1632921
lists.debian.org/debian-lts-announce/2022/10/msg00006.html
lists.fedoraproject.org/archives/list/[email protected]/message/2ICG6CSIB3GUWH5DUSQEVX53MOJW7LYK/
lists.fedoraproject.org/archives/list/[email protected]/message/QCNN3YG2BCLS4ZEKJ3CLSUT6AS7AXTH3/
lists.fedoraproject.org/archives/list/[email protected]/message/VMQK5L5SBYD47QQZ67LEMHNQ662GH3OY/
nodejs.org/en/blog/vulnerability/july-2022-security-releases/
nodejs.org/en/blog/vulnerability/july-2022-security-releases/#dns-rebinding-in-inspect-via-invalid-ip-addresses-high-cve-2022-32212
security.netapp.com/advisory/ntap-20220915-0001/
www.debian.org/security/2023/dsa-5326