Vulnerability Details CVE-2018-7160
The Node.js inspector, in 6.x and later is vulnerable to a DNS rebinding attack which could be exploited to perform remote code execution. An attack is possible from malicious websites open in a web browser on the same computer, or another computer with network access to the computer running the Node.js process. A malicious website could use a DNS rebinding attack to trick the web browser to bypass same-origin-policy checks and to allow HTTP connections to localhost or to hosts on the local network. If a Node.js process with the debug port active is running on localhost or on a host on the local network, the malicious website could connect to it as a debugger, and get full code execution access.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.011
EPSS Ranking 76.9%
CVSS Severity
CVSS v3 Score 8.8
CVSS v2 Score 6.8
References
- https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/
- https://support.f5.com/csp/article/K63025104?utm_source=f5support&%3Butm_medium=RSS
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/
- https://support.f5.com/csp/article/K63025104?utm_source=f5support&%3Butm_medium=RSS
- https://www.oracle.com//security-alerts/cpujul2021.html
Products affected by CVE-2018-7160
-
cpe:2.3:a:nodejs:node.js:6.0.0
-
cpe:2.3:a:nodejs:node.js:6.1.0
-
cpe:2.3:a:nodejs:node.js:6.10.0
-
cpe:2.3:a:nodejs:node.js:6.10.1
-
cpe:2.3:a:nodejs:node.js:6.10.2
-
cpe:2.3:a:nodejs:node.js:6.10.3
-
cpe:2.3:a:nodejs:node.js:6.11.0
-
cpe:2.3:a:nodejs:node.js:6.11.1
-
cpe:2.3:a:nodejs:node.js:6.11.2
-
cpe:2.3:a:nodejs:node.js:6.11.3
-
cpe:2.3:a:nodejs:node.js:6.11.4
-
cpe:2.3:a:nodejs:node.js:6.11.5
-
cpe:2.3:a:nodejs:node.js:6.12.0
-
cpe:2.3:a:nodejs:node.js:6.12.1
-
cpe:2.3:a:nodejs:node.js:6.12.2
-
cpe:2.3:a:nodejs:node.js:6.12.3
-
cpe:2.3:a:nodejs:node.js:6.13.0
-
cpe:2.3:a:nodejs:node.js:6.13.1
-
cpe:2.3:a:nodejs:node.js:6.2.0
-
cpe:2.3:a:nodejs:node.js:6.2.1
-
cpe:2.3:a:nodejs:node.js:6.2.2
-
cpe:2.3:a:nodejs:node.js:6.3.0
-
cpe:2.3:a:nodejs:node.js:6.3.1
-
cpe:2.3:a:nodejs:node.js:6.4.0
-
cpe:2.3:a:nodejs:node.js:6.5.0
-
cpe:2.3:a:nodejs:node.js:6.6.0
-
cpe:2.3:a:nodejs:node.js:6.7.0
-
cpe:2.3:a:nodejs:node.js:6.8.0
-
cpe:2.3:a:nodejs:node.js:6.8.1
-
cpe:2.3:a:nodejs:node.js:6.9.0
-
cpe:2.3:a:nodejs:node.js:6.9.1
-
cpe:2.3:a:nodejs:node.js:6.9.2
-
cpe:2.3:a:nodejs:node.js:6.9.3
-
cpe:2.3:a:nodejs:node.js:6.9.4
-
cpe:2.3:a:nodejs:node.js:6.9.5
-
cpe:2.3:a:nodejs:node.js:8.0.0
-
cpe:2.3:a:nodejs:node.js:8.1.0
-
cpe:2.3:a:nodejs:node.js:8.1.1
-
cpe:2.3:a:nodejs:node.js:8.1.2
-
cpe:2.3:a:nodejs:node.js:8.1.3
-
cpe:2.3:a:nodejs:node.js:8.1.4
-
cpe:2.3:a:nodejs:node.js:8.10.0
-
cpe:2.3:a:nodejs:node.js:8.2.0
-
cpe:2.3:a:nodejs:node.js:8.2.1
-
cpe:2.3:a:nodejs:node.js:8.3.0
-
cpe:2.3:a:nodejs:node.js:8.4.0
-
cpe:2.3:a:nodejs:node.js:8.5.0
-
cpe:2.3:a:nodejs:node.js:8.6.0
-
cpe:2.3:a:nodejs:node.js:8.7.0
-
cpe:2.3:a:nodejs:node.js:8.8.0
-
cpe:2.3:a:nodejs:node.js:8.8.1
-
cpe:2.3:a:nodejs:node.js:8.9.0
-
cpe:2.3:a:nodejs:node.js:8.9.1
-
cpe:2.3:a:nodejs:node.js:8.9.2
-
cpe:2.3:a:nodejs:node.js:8.9.3
-
cpe:2.3:a:nodejs:node.js:8.9.4
-
cpe:2.3:a:nodejs:node.js:9.0.0
-
cpe:2.3:a:nodejs:node.js:9.1.0
-
cpe:2.3:a:nodejs:node.js:9.2.0
-
cpe:2.3:a:nodejs:node.js:9.2.1
-
cpe:2.3:a:nodejs:node.js:9.3.0
-
cpe:2.3:a:nodejs:node.js:9.4.0
-
cpe:2.3:a:nodejs:node.js:9.5.0
-
cpe:2.3:a:nodejs:node.js:9.6.0
-
cpe:2.3:a:nodejs:node.js:9.6.1
-
cpe:2.3:a:nodejs:node.js:9.7.0
-
cpe:2.3:a:nodejs:node.js:9.7.1
-
cpe:2.3:a:nodejs:node.js:9.8.0
-
cpe:2.3:a:nodejs:node.js:9.9.0