Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2021-3672 (Medium) detected in node #1049

Closed
tmarkley opened this issue Dec 29, 2021 · 1 comment · Fixed by #1028
Closed

CVE-2021-3672 (Medium) detected in node #1049

tmarkley opened this issue Dec 29, 2021 · 1 comment · Fixed by #1028
Labels
cve Security vulnerabilities detected by Dependabot or Mend medium severity Medium severity CVE Mend: dependency security vulnerability Security vulnerability detected by Mend v2.0.0

Comments

@tmarkley
Copy link
Contributor

tmarkley commented Dec 29, 2021
edited
Loading

CVE-2021-3672 - Medium Severity Vulnerability

⚠️ Vulnerable Libraries: node@10.24.1

Dependency Hierarchy

  • node@10.24.1 (Root Library)

Found in base branch: main

🕵️ Vulnerability Details

Description

A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to Domain Hijacking. The highest threat from this vulnerability is to confidentiality and integrity as well as system availability.

Publish Date

2021-11-23

URL

CVE-2021-3672

🎯 CVSS 3 Score Details (5.6)

Scores

Base: 5.6
Exploitability: 2.1
Impact: 3.4
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Exploitability Metrics

Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S)
Network (AV:N) High (AC:H) None (PR:N) None (UI:N) Unchanged (S:U)

Impact Metrics

Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)
Low (C:L) Low (I:L) Low (A:L)

🔧 Suggested Fix

How to fix?

Upgrade node to version 16.6.2, 14.17.5, 12.22.5 or higher.

Origin

https://security.snyk.io/vuln/SNYK-UPSTREAM-NODE-1540538
@tmarkley tmarkley added Mend: dependency security vulnerability Security vulnerability detected by Mend medium severity Medium severity CVE labels Dec 29, 2021
@tmarkley tmarkley linked a pull request Dec 29, 2021 that will close this issue
[Node 14] Upgrades Node version to 14.18.2 #1028
Merged
7 tasks
@tmarkley tmarkley changed the title CVE-2021-3672 (Medium) detected in node CVE-2021-3672 (Medium) detected in node Dec 29, 2021
@mend-for-github-com mend-for-github-com bot changed the title CVE-2021-3672 (Medium) detected in node CVE-2021-3672 (Medium) detected in node - autoclosed Jan 4, 2022
@mend-for-github-com
Copy link

✔️ This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.

@tmarkley tmarkley changed the title CVE-2021-3672 (Medium) detected in node - autoclosed CVE-2021-3672 (Medium) detected in node Jan 4, 2022
@tmarkley tmarkley reopened this Jan 4, 2022
@tmarkley tmarkley added cve Security vulnerabilities detected by Dependabot or Mend v2.0.0 labels Jan 6, 2022
AMoo-Miki pushed a commit to AMoo-Miki/OpenSearch-Dashboards that referenced this issue Feb 10, 2022
@nickofthyme
fix(tooltip): allow explicit boundary element (opensearch-project#1049)
118c2b5
AMoo-Miki pushed a commit to AMoo-Miki/OpenSearch-Dashboards that referenced this issue Feb 10, 2022
@semantic-release-bot
chore(release): 25.1.1 [skip ci]
67d9a85 
## [25.1.1](elastic/elastic-charts@v25.1.0...v25.1.1) (2021-03-05)

### Bug Fixes

* clippedRanges when complete dataset is null ([opensearch-project#1037](elastic/elastic-charts#1037)) ([e37b4a7](elastic/elastic-charts@e37b4a7))
* **tooltip:** allow explicit boundary element ([opensearch-project#1049](elastic/elastic-charts#1049)) ([118c2b5](elastic/elastic-charts@118c2b5))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
cve Security vulnerabilities detected by Dependabot or Mend medium severity Medium severity CVE Mend: dependency security vulnerability Security vulnerability detected by Mend v2.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Node 14] Upgrades Node version to 14.18.2 boktorbb/OpenSearch-Dashboards
1 participant
@tmarkley