CVE-2021-29418: Input Validation
First published: Mon Mar 29 2021(Updated: )
The netmask package before 2.0.1 for Node.js mishandles certain unexpected characters in an IP address string, such as an octal digit of 9. This (in some situations) allows attackers to bypass access control that is based on IP addresses. NOTE: this issue exists because of an incomplete fix for CVE-2021-28918.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| npm/netmask | <2.0.1 | 2.0.1 |
| IBM Cognos Analytics 11.2.x | <=IBM Cognos Analytics 11.2.x | |
| IBM Cognos Analytics 11.1.x | <=IBM Cognos Analytics 11.1.x | |
| <2.0.1 | ||
| Netmask Project Netmask | <2.0.1 | |
| redhat/nodejs-netmask | <2.0.1 | 2.0.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/rs/node-netmask/commit/3f19a056c4eb808ea4a29f234274c67bc5a848f4
- https://sick.codes/sick-2021-011
- https://sick.codes/universal-netmask-npm-package-used-by-270000-projects-vulnerable-to-octal-input-data-server-side-request-forgery-remote-file-inclusion-local-file-inclusion-and-more-cve-2021-28918/
- https://www.npmjs.com/package/netmask
- https://nvd.nist.gov/vuln/detail/CVE-2021-29418
- https://vuln.ryotak.me/advisories/6
- https://security.netapp.com/advisory/ntap-20210604-0001/
- https://github.com/advisories/GHSA-pch5-whg9-qr2r (Advisory)
- https://www.cve.org/CVERecord?id=CVE-2021-29418 https://nvd.nist.gov/vuln/detail/CVE-2021-29418 https://sick.codes/universal-netmask-npm-package-used-by-270000-projects-vulnerable-to-octal-input-data-server-side-request-forgery-remote-file-inclusion-local-file-inclusion-and-more-cve-2021-28918
- https://bugzilla.redhat.com/show_bug.cgi?id=1944822
- https://access.redhat.com/errata/RHSA-2021:3016
- https://access.redhat.com/security/cve/cve-2021-29418
- https://access.redhat.com/security/cve/CVE-2021-28918
- https://vuln.ryotak.me/advisories/6.txt
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1944824
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1944823
- https://sick.codes/universal-netmask-npm-package-used-by-270000-projects-vulnerable-to-octal-input-data-server-side-request-forgery-remote-file-inclusion-local-file-inclusion-and-more-cve-2021-28918
- https://access.redhat.com/errata/RHSA-2021:1499
- https://exchange.xforce.ibmcloud.com/vulnerabilities/199130
- https://www.ibm.com/support/pages/node/6615285 (Advisory)
- https://www.bleepingcomputer.com/news/security/critical-netmask-networking-bug-impacts-thousands-of-applications/
Frequently Asked Questions
What is CVE-2021-29418?
CVE-2021-29418 is a vulnerability in the netmask package before version 2.0.1 for Node.js.
What is the severity of CVE-2021-29418?
CVE-2021-29418 has a severity score of 9.1 (critical).
How does CVE-2021-29418 affect Node.js?
CVE-2021-29418 in the netmask package for Node.js allows a remote attacker to bypass security restrictions by exploiting improper handling of certain unexpected characters in an IP address string.
How can CVE-2021-29418 be exploited?
CVE-2021-29418 can be exploited by using a specially-crafted argument using octal literals.
How can I fix CVE-2021-29418?
To fix CVE-2021-29418, update the netmask package to version 2.0.1 or later.
- collector/github-advisory-latest
- alias/GHSA-pch5-whg9-qr2r
- alias/CVE-2021-29418
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/first-publish-date
- agent/last-modified-date
- agent/author
- agent/softwarecombine
- agent/remedy
- agent/severity
- agent/weakness
- agent/description
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- collector/redhat-bugzilla
- source/Red Hat
- collector/github-advisory
- source/GitHub
- collector/ibm-support
- source/IBM
- collector/bleeping-computer
- source/BleepingComputer
- alias/CVE-2021-28918
- alias/CVE-2021-29424
- agent/references
- agent/event
- agent/tags
- collector/mitre-cve
- source/MITRE
- package-manager/npm
- vendor/netmask project
- canonical/netmask project netmask
- package-manager/redhat
- vendor/ibm
- canonical/ibm cognos analytics 11.2.x
- version/ibm cognos analytics 11.2.x/ibm cognos analytics 11.2.x
- canonical/ibm cognos analytics 11.1.x
- version/ibm cognos analytics 11.1.x/ibm cognos analytics 11.1.x