Description
This affects the package dns-packet before 5.2.2. It creates buffers with allocUnsafe and does not always fill them before forming network packets. This can expose internal application memory over unencrypted network when querying crafted invalid domain names.
Remediation
References
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1295719
https://snyk.io/vuln/SNYK-JS-DNSPACKET-1293563
https://hackerone.com/bugs?subject=user&%3Breport_id=968858
https://github.com/mafintosh/dns-packet/commit/25f15dd0fedc53688b25fd053ebbdffe3d5c1c56
Related Vulnerabilities
CVE-2015-3337 Vulnerability in maven package org.elasticsearch:elasticsearch
CVE-2022-35915 Vulnerability in npm package @openzeppelin/contracts-upgradeable
CVE-2020-26870 Vulnerability in npm package dompurify
CVE-2023-46494 Vulnerability in npm package @evershop/evershop
CVE-2018-20227 Vulnerability in maven package org.eclipse.rdf4j:rdf4j-util