CVE-2021-23386 — Potential memory exposure in dns-packet

Description

This affects the package dns-packet before versions 1.3.2 and 5.2.2. It creates buffers with allocUnsafe and does not always fill them before forming network packets. This can expose internal application memory over unencrypted network when querying crafted invalid domain names.

How to fix CVE-2021-23386

To remediate CVE-2021-23386, upgrade the affected package to a fixed version below.

—upgrade to 5.2.2 or later

Is CVE-2021-23386 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 2.0.0, < 5.2.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.7	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-23386
WEBgithub.com/mafintosh/dns-packet/commit/0d0d593f8df4e2712c43957a6c62e95047f12b2d
WEBgithub.com/mafintosh/dns-packet/commit/25f15dd0fedc53688b25fd053ebbdffe3d5c1c56
WEBhackerone.com/bugs?subject=user&amp%3Breport_id=968858