CVE-2018-7160

Name
CVE-2018-7160
Description
The Node.js inspector, in 6.x and later is vulnerable to a DNS rebinding attack which could be exploited to perform remote code execution. An attack is possible from malicious websites open in a web browser on the same computer, or another computer with network access to the computer running the Node.js process. A malicious website could use a DNS rebinding attack to trick the web browser to bypass same-origin-policy checks and to allow HTTP connections to localhost or to hosts on the local network. If a Node.js process with the debug port active is running on localhost or on a host on the local network, the malicious website could connect to it as a debugger, and get full code execution access.
NVD Severity
high
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Vendor Advisory https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/
Third Party Advisory https://support.f5.com/csp/article/K63025104?utm_source=f5support&utm_medium=RSS
N/A https://www.oracle.com//security-alerts/cpujul2021.html

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:* nodejs >= 6.0.0 <= 6.8.1
cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:* nodejs >= 6.9.0 < 6.14.0

Vulnerable and fixed packages

Source package Branch Version Maintainer Status