Home

CVE-2018-7160

Description

The Node.js inspector, in 6.x and later is vulnerable to a DNS rebinding attack which could be exploited to perform remote code execution. An attack is possible from malicious websites open in a web browser on the same computer, or another computer with network access to the computer running the Node.js process. A malicious website could use a DNS rebinding attack to trick the web browser to bypass same-origin-policy checks and to allow HTTP connections to localhost or to hosts on the local network. If a Node.js process with the debug port active is running on localhost or on a host on the local network, the malicious website could connect to it as a debugger, and get full code execution access.

Risk Information

Base Score
8.8
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score
Exploitation Probability
1.501

Associated Vulnerability

VulnerabilityOS Platform
Vulnerabilities CVE-2021-22883,CVE-2021-22884,CVE-2018-7160,CVE-2021-23840 are fixed in Node.js 12 (x64) (12.21.0)Windows
Vulnerabilities CVE-2021-22883,CVE-2021-22884,CVE-2018-7160,CVE-2021-23840 are fixed in Node.js 12 (12.21.0)Windows
Multiple vulnerabilities are fixed in Node.js 14 (x64) (14.20.1)Windows
Multiple vulnerabilities are fixed in Node.js 14 (14.20.1)Windows
Vulnerabilities CVE-2021-22883,CVE-2021-22884,CVE-2018-7160,CVE-2021-23840 are fixed in Node.js 14 (x64) (14.16.0)Windows
Vulnerabilities CVE-2021-22883,CVE-2021-22884,CVE-2018-7160,CVE-2021-23840 are fixed in Node.js 14 (14.16.0)Windows
Multiple vulnerabilities are fixed in Node.js 16 (x64) (16.17.1)Windows
Multiple vulnerabilities are fixed in Node.js 16 (16.17.1)Windows
Multiple vulnerabilities are fixed in Node.js 18 (18.17.0)Windows
Multiple vulnerabilities are fixed in Node.js 18 (x64) (18.17.0)Windows
Vulnerabilities CVE-2021-22883,CVE-2021-22884,CVE-2018-7160,CVE-2021-23840 are fixed in Node.js 10 (x64) (10.24.0)Windows
Vulnerabilities CVE-2021-22883,CVE-2021-22884,CVE-2018-7160,CVE-2021-23840 are fixed in Node.js 10 (10.24.0)Windows
Vulnerabilities CVE-2021-22883,CVE-2021-22884,CVE-2018-7160,CVE-2021-23840 are fixed in Node.js 15.10.0Windows
Vulnerabilities CVE-2018-0739,CVE-2018-7160,CVE-2018-7158,CVE-2018-7159 are fixed in Node.js 10 (10.24.1)Windows
Vulnerabilities CVE-2018-0739,CVE-2018-7160,CVE-2018-7158,CVE-2018-7159 are fixed in Node.js 16 (x64) (16.14.0)Windows
Vulnerabilities CVE-2018-0739,CVE-2018-7160,CVE-2018-7158,CVE-2018-7159 are fixed in Node.js 16 (16.14.0)Windows
Vulnerabilities CVE-2021-22883,CVE-2021-22884,CVE-2018-7160,CVE-2021-23840 are fixed in Node.js 10 (x64) (10.24.1)Windows
Vulnerabilities CVE-2018-0739,CVE-2018-7160,CVE-2018-7158,CVE-2018-7159 are fixed in Node.js 8 8.11.0Windows
Vulnerabilities CVE-2018-0739,CVE-2018-7160,CVE-2018-7158,CVE-2018-7159 are fixed in Node.js 8 (x64) 8.11.0Windows
Vulnerabilities CVE-2018-0739,CVE-2018-7160,CVE-2018-7158,CVE-2018-7159 are fixed in Node.js 9.10.0Windows
Vulnerabilities CVE-2018-0739,CVE-2018-7160,CVE-2018-7158,CVE-2018-7159 are fixed in Node.js 4.9.0Windows
Multiple Vulnerabilities are affected in IBM Planning Analytics Local 2.0Windows
Authentication Bypass by Spoofing Vulnerability (CVE-2018-7160)NCM

Patch Details

Click to see the patches provided by ManageEngine for this CVE
Patch IDPatch Description
PATCH-324371Node.js 12 (x64) (12.22.12)
PATCH-324370Node.js 12 (12.22.12)
PATCH-329083Node.js 14 (x64) (14.21.3)
PATCH-329082Node.js 14 (14.21.3)
PATCH-329083Node.js 14 (x64) (14.21.3)
PATCH-329082Node.js 14 (14.21.3)
PATCH-331257Node.js 16 (x64) (16.20.1)
PATCH-331256Node.js 16 (16.20.1)
PATCH-331762Node.js 18 (18.17.0)
PATCH-331763Node.js 18 (x64) (18.17.0)
PATCH-319043Node.js 10 (x64) (10.24.1)
PATCH-319042Node.js 10 (10.24.1)
PATCH-319042Node.js 10 (10.24.1)
PATCH-319042Node.js 10 (10.24.1)
PATCH-332182Node.js 16 (x64) (16.20.2)
PATCH-332181Node.js 16 (16.20.2)
PATCH-319043Node.js 10 (x64) (10.24.1)
PATCH-319042Node.js 10 (10.24.1)
PATCH-319042Node.js 10 (10.24.1)

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234