VDB

CVE-2021-22884

CVE-2021-22884 PUBLISHED

Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to DNS rebinding attacks as the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the “localhost6” domain. As long as the attacker uses the “localhost6” domain, they can still apply the attack described in CVE-2018-7160.

EPSS 0.27% · 50.6th percentile

Risk Scores

EPSS Score
0.27%
50.6th percentile

Affected Products

VendorProductVersions
Bitnaminode-min12.0.0, 14.0.0, 15.0.0
Bitnaminode15.0.0, 14.0.0, 15.0.0
Bitnaminode-min15.0.0, 10.0.0, 12.0.0
Bitnaminode10.0.0, 12.0.0, 15.0.0

Timeline

  • CVE Published
  • Feb 23, 2021 PoC Published
  • Apr 14, 2021 EPSS Score
  • Jun 19, 2021 EPSS Score
  • Jun 24, 2021 EPSS Score
  • Aug 24, 2021 EPSS Score
  • Oct 25, 2021 EPSS Score
  • Jan 6, 2022 EPSS Score
  • Feb 4, 2022 EPSS Score
  • Feb 27, 2022 EPSS Score
  • Apr 1, 2022 EPSS Score
  • Jul 2, 2022 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›