Description

dns-sync is a sync/blocking dns resolver. If untrusted user input is allowed into the resolve() method then command injection is possible.

Remediation

References

https://nodesecurity.io/advisories/523

https://github.com/skoranga/node-dns-sync/issues/5

Related Vulnerabilities

CVE-2023-26127 Vulnerability in npm package n158

CVE-2021-3503 Vulnerability in maven package org.wildfly:wildfly-metrics

CVE-2020-7690 Vulnerability in maven package org.webjars:jspdf

CVE-2022-43435 Vulnerability in maven package org.jenkins-ci.plugins.plugin:fireline

CVE-2022-35961 Vulnerability in maven package org.webjars.npm:openzeppelin__contracts

Severity

Critical

Classification

CWE-77 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Third Party Advisory Exploit