Description

This affects the package dns-packet before 5.2.2. It creates buffers with allocUnsafe and does not always fill them before forming network packets. This can expose internal application memory over unencrypted network when querying crafted invalid domain names.

Remediation

References

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1295719

https://snyk.io/vuln/SNYK-JS-DNSPACKET-1293563

https://hackerone.com/bugs?subject=user&amp%3Breport_id=968858

https://github.com/mafintosh/dns-packet/commit/25f15dd0fedc53688b25fd053ebbdffe3d5c1c56

Related Vulnerabilities

CVE-2020-36183 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind

CVE-2014-0115 Vulnerability in maven package org.apache.storm:storm-core

CVE-2022-3423 Vulnerability in npm package nocodb

CVE-2020-8203 Vulnerability in maven package org.webjars.bowergithub.lodash:lodash

CVE-2022-24827 Vulnerability in maven package com.yahoo.elide:elide-datastore-aggregation

Severity

High

Classification

CWE-909 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Patch Third Party Advisory Permissions Required