Vulnerability-Lookup

CVE-2021-29418 (GCVE-0-2021-29418)

Vulnerability from cvelistv5 – Published: 2021-03-30 06:08 – Updated: 2024-08-03 22:02

Summary

The netmask package before 2.0.1 for Node.js mishandles certain unexpected characters in an IP address string, such as an octal digit of 9. This (in some situations) allows attackers to bypass access control that is based on IP addresses. NOTE: this issue exists because of an incomplete fix for CVE-2021-28918.

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

Tags

	https://github.com/rs/node-netmask/commit/3f19a05…	x_refsource_MISC
	https://vuln.ryotak.me/advisories/6	x_refsource_MISC
	https://security.netapp.com/advisory/ntap-2021060…	x_refsource_CONFIRM

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T22:02:51.874Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/rs/node-netmask/commit/3f19a056c4eb808ea4a29f234274c67bc5a848f4"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://vuln.ryotak.me/advisories/6"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20210604-0001/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The netmask package before 2.0.1 for Node.js mishandles certain unexpected characters in an IP address string, such as an octal digit of 9. This (in some situations) allows attackers to bypass access control that is based on IP addresses. NOTE: this issue exists because of an incomplete fix for CVE-2021-28918."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-06-04T09:06:24.000Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/rs/node-netmask/commit/3f19a056c4eb808ea4a29f234274c67bc5a848f4"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://vuln.ryotak.me/advisories/6"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20210604-0001/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2021-29418",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The netmask package before 2.0.1 for Node.js mishandles certain unexpected characters in an IP address string, such as an octal digit of 9. This (in some situations) allows attackers to bypass access control that is based on IP addresses. NOTE: this issue exists because of an incomplete fix for CVE-2021-28918."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/rs/node-netmask/commit/3f19a056c4eb808ea4a29f234274c67bc5a848f4",
              "refsource": "MISC",
              "url": "https://github.com/rs/node-netmask/commit/3f19a056c4eb808ea4a29f234274c67bc5a848f4"
            },
            {
              "name": "https://vuln.ryotak.me/advisories/6",
              "refsource": "MISC",
              "url": "https://vuln.ryotak.me/advisories/6"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20210604-0001/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20210604-0001/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2021-29418",
    "datePublished": "2021-03-30T06:08:00.000Z",
    "dateReserved": "2021-03-29T00:00:00.000Z",
    "dateUpdated": "2024-08-03T22:02:51.874Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

GSD-2021-29418

Vulnerability from gsd - Updated: 2023-12-13 01:23

Details

Aliases

CVE-2021-29418

Aliases

CVE-2021-29418

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2021-29418",
    "description": "The netmask package before 2.0.1 for Node.js mishandles certain unexpected characters in an IP address string, such as an octal digit of 9. This (in some situations) allows attackers to bypass access control that is based on IP addresses. NOTE: this issue exists because of an incomplete fix for CVE-2021-28918.",
    "id": "GSD-2021-29418",
    "references": [
      "https://access.redhat.com/errata/RHSA-2021:3016",
      "https://access.redhat.com/errata/RHSA-2021:1499"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2021-29418"
      ],
      "details": "The netmask package before 2.0.1 for Node.js mishandles certain unexpected characters in an IP address string, such as an octal digit of 9. This (in some situations) allows attackers to bypass access control that is based on IP addresses. NOTE: this issue exists because of an incomplete fix for CVE-2021-28918.",
      "id": "GSD-2021-29418",
      "modified": "2023-12-13T01:23:36.633636Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2021-29418",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "The netmask package before 2.0.1 for Node.js mishandles certain unexpected characters in an IP address string, such as an octal digit of 9. This (in some situations) allows attackers to bypass access control that is based on IP addresses. NOTE: this issue exists because of an incomplete fix for CVE-2021-28918."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/rs/node-netmask/commit/3f19a056c4eb808ea4a29f234274c67bc5a848f4",
            "refsource": "MISC",
            "url": "https://github.com/rs/node-netmask/commit/3f19a056c4eb808ea4a29f234274c67bc5a848f4"
          },
          {
            "name": "https://vuln.ryotak.me/advisories/6",
            "refsource": "MISC",
            "url": "https://vuln.ryotak.me/advisories/6"
          },
          {
            "name": "https://security.netapp.com/advisory/ntap-20210604-0001/",
            "refsource": "CONFIRM",
            "url": "https://security.netapp.com/advisory/ntap-20210604-0001/"
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c2.0.1",
          "affected_versions": "All versions before 2.0.1",
          "cvss_v2": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-20",
            "CWE-937"
          ],
          "date": "2021-06-08",
          "description": "The netmask package for Node.js mishandles certain unexpected characters in an IP address string, such as an octal digit of This (in some situations) allows attackers to bypass access control that is based on IP addresses.",
          "fixed_versions": [
            "2.0.1"
          ],
          "identifier": "CVE-2021-29418",
          "identifiers": [
            "CVE-2021-29418"
          ],
          "not_impacted": "All versions starting from 2.0.1",
          "package_slug": "npm/netmask",
          "pubdate": "2021-03-30",
          "solution": "Upgrade to version 2.0.1 or above.",
          "title": "Improper Input Validation",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2021-29418"
          ],
          "uuid": "7b553f43-5022-496e-b2ad-4d0d80bbab28"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:netmask_project:netmask:*:*:*:*:*:node.js:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.0.1",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2021-29418"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "The netmask package before 2.0.1 for Node.js mishandles certain unexpected characters in an IP address string, such as an octal digit of 9. This (in some situations) allows attackers to bypass access control that is based on IP addresses. NOTE: this issue exists because of an incomplete fix for CVE-2021-28918."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-20"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/rs/node-netmask/commit/3f19a056c4eb808ea4a29f234274c67bc5a848f4",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/rs/node-netmask/commit/3f19a056c4eb808ea4a29f234274c67bc5a848f4"
            },
            {
              "name": "https://vuln.ryotak.me/advisories/6",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://vuln.ryotak.me/advisories/6"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20210604-0001/",
              "refsource": "CONFIRM",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://security.netapp.com/advisory/ntap-20210604-0001/"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 5.0,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 1.4
        }
      },
      "lastModifiedDate": "2021-06-08T13:52Z",
      "publishedDate": "2021-03-30T07:15Z"
    }
  }
}

CERTFR-2025-AVI-0608

Vulnerability from certfr_avis - Published: 2025-07-18 - Updated: 2025-07-18

De multiples vulnérabilités ont été découvertes dans les produits IBM. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et une atteinte à la confidentialité des données.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

Vendor	Product	Description
IBM	QRadar SIEM	QRadar SIEM versions 7.5.0 sans les derniers correctifs de sécurité pour les protocoles GoogleCloudPubSub, GoogleCommon et GoogleGSuiteActivityReportsRESTAPI
IBM	QRadar SIEM	QRadar SIEM versions 7.5.0 antérieures à 7.5.0 UP12 IF03
IBM	WebSphere	WebSphere Remote Server sans les derniers correctifs de sécurité
IBM	Sterling Connect:Direct	Sterling Connect:Direct versions 6.4.x antérieures à 6.4.0.2 pour Unix
IBM	Sterling	Sterling Connect:Direct FTP+ versions 1.3.0 antérieures à 1.3.0.1
IBM	Db2 Query Management Facility	Db2 Query Management Facility versions 13.1 et 12.2.0.5 sans le JRE 8.0.8.45
IBM	Sterling Connect:Direct	Sterling Connect:Direct versions 6.3.x antérieures à 6.3.0.5 pour Unix
IBM	Cognos Analytics	Cognos Analytics versions 11.2.x antérieures à 11.2.3
IBM	Sterling Connect:Direct	Sterling Connect:Direct versions 6.2.x antérieures à 6.2.0.7 pour Windows
IBM	QRadar Incident Forensics	QRadar Incident Forensics versions 7.5.0 antérieures à 7.5.0 UP12 IF03
IBM	WebSphere	WebSphere Application Server Liberty versions antérieures à 25.0.0.8
IBM	Sterling Connect:Direct	Sterling Connect:Direct versions 6.2.x antérieures à 6.2.0.7.iFix052 pour Unix
IBM	Cognos Analytics	Cognos Analytics versions 11.1.x antérieures à 11.1.7 Fix Pack 5
IBM	WebSphere	WebSphere Application Server versions 9.0.0.x antérieures à 9.0.5.25
IBM	WebSphere	WebSphere eXtreme Scale versions 8.6.1.x antérieures à 8.6.1.6 sans le correctif PH67142 iFix

References

Title

Publication Time

Tags

Bulletin de sécurité IBM 7239645	2025-07-14	vendor-advisory
Bulletin de sécurité IBM 7239617	2025-07-14	vendor-advisory
Bulletin de sécurité IBM 7239753	2025-07-15	vendor-advisory
Bulletin de sécurité IBM 7239757	2025-07-15	vendor-advisory
Bulletin de sécurité IBM 7239856	2025-07-16	vendor-advisory
Bulletin de sécurité IBM 7239492	2025-07-11	vendor-advisory
Bulletin de sécurité IBM 6615285	2025-07-15	vendor-advisory
Bulletin de sécurité IBM 7239816	2025-07-15	vendor-advisory
Bulletin de sécurité IBM 7239564	2025-07-11	vendor-advisory
Bulletin de sécurité IBM 7239627	2025-07-14	vendor-advisory
Bulletin de sécurité IBM 7239598	2025-07-14	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "QRadar SIEM versions 7.5.0 sans les derniers correctifs de s\u00e9curit\u00e9 pour les protocoles GoogleCloudPubSub, GoogleCommon et GoogleGSuiteActivityReportsRESTAPI",
      "product": {
        "name": "QRadar SIEM",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "QRadar SIEM versions 7.5.0 ant\u00e9rieures \u00e0 7.5.0 UP12 IF03",
      "product": {
        "name": "QRadar SIEM",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "WebSphere Remote Server sans les derniers correctifs de s\u00e9curit\u00e9",
      "product": {
        "name": "WebSphere",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "Sterling Connect:Direct versions 6.4.x ant\u00e9rieures \u00e0 6.4.0.2 pour Unix",
      "product": {
        "name": "Sterling Connect:Direct",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "Sterling Connect:Direct FTP+ versions 1.3.0 ant\u00e9rieures \u00e0 1.3.0.1",
      "product": {
        "name": "Sterling",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "Db2 Query Management Facility versions 13.1 et 12.2.0.5 sans le JRE 8.0.8.45",
      "product": {
        "name": "Db2 Query Management Facility",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "Sterling Connect:Direct versions 6.3.x ant\u00e9rieures \u00e0 6.3.0.5 pour Unix",
      "product": {
        "name": "Sterling Connect:Direct",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "Cognos Analytics versions 11.2.x ant\u00e9rieures \u00e0 11.2.3",
      "product": {
        "name": "Cognos Analytics",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "Sterling Connect:Direct versions 6.2.x ant\u00e9rieures \u00e0 6.2.0.7 pour Windows",
      "product": {
        "name": "Sterling Connect:Direct",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "QRadar Incident Forensics versions 7.5.0 ant\u00e9rieures \u00e0 7.5.0 UP12 IF03",
      "product": {
        "name": "QRadar Incident Forensics",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "WebSphere Application Server Liberty versions ant\u00e9rieures \u00e0 25.0.0.8",
      "product": {
        "name": "WebSphere",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "Sterling Connect:Direct versions 6.2.x ant\u00e9rieures \u00e0 6.2.0.7.iFix052 pour Unix",
      "product": {
        "name": "Sterling Connect:Direct",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "Cognos Analytics versions 11.1.x ant\u00e9rieures \u00e0 11.1.7 Fix Pack 5",
      "product": {
        "name": "Cognos Analytics",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "WebSphere Application Server versions 9.0.0.x ant\u00e9rieures \u00e0 9.0.5.25",
      "product": {
        "name": "WebSphere",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "WebSphere eXtreme Scale versions 8.6.1.x ant\u00e9rieures \u00e0 8.6.1.6 sans le correctif PH67142 iFix",
      "product": {
        "name": "WebSphere",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "",
  "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [
    {
      "name": "CVE-2025-4447",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-4447"
    },
    {
      "name": "CVE-2020-4301",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-4301"
    },
    {
      "name": "CVE-2024-52005",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-52005"
    },
    {
      "name": "CVE-2021-20468",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-20468"
    },
    {
      "name": "CVE-2023-44487",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-44487"
    },
    {
      "name": "CVE-2025-49125",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-49125"
    },
    {
      "name": "CVE-2021-29823",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-29823"
    },
    {
      "name": "CVE-2021-44532",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-44532"
    },
    {
      "name": "CVE-2025-36097",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-36097"
    },
    {
      "name": "CVE-2022-36773",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-36773"
    },
    {
      "name": "CVE-2021-3807",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-3807"
    },
    {
      "name": "CVE-2025-48976",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-48976"
    },
    {
      "name": "CVE-2025-21587",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-21587"
    },
    {
      "name": "CVE-2022-29078",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-29078"
    },
    {
      "name": "CVE-2023-33953",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-33953"
    },
    {
      "name": "CVE-2021-23438",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-23438"
    },
    {
      "name": "CVE-2021-43797",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-43797"
    },
    {
      "name": "CVE-2023-32732",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-32732"
    },
    {
      "name": "CVE-2025-48988",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-48988"
    },
    {
      "name": "CVE-2022-30614",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-30614"
    },
    {
      "name": "CVE-2025-30698",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-30698"
    },
    {
      "name": "CVE-2022-49395",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-49395"
    },
    {
      "name": "CVE-2021-44533",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-44533"
    },
    {
      "name": "CVE-2025-22869",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-22869"
    },
    {
      "name": "CVE-2021-29418",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-29418"
    },
    {
      "name": "CVE-2020-36518",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-36518"
    },
    {
      "name": "CVE-2021-39045",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-39045"
    },
    {
      "name": "CVE-2022-21824",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-21824"
    },
    {
      "name": "CVE-2022-21803",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-21803"
    },
    {
      "name": "CVE-2021-39009",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-39009"
    },
    {
      "name": "CVE-2025-32414",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-32414"
    },
    {
      "name": "CVE-2020-16156",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-16156"
    },
    {
      "name": "CVE-2025-2900",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-2900"
    },
    {
      "name": "CVE-2025-5283",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-5283"
    },
    {
      "name": "CVE-2021-44531",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-44531"
    },
    {
      "name": "CVE-2021-28918",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-28918"
    },
    {
      "name": "CVE-2025-36038",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-36038"
    },
    {
      "name": "CVE-2020-28469",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-28469"
    },
    {
      "name": "CVE-2021-3749",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-3749"
    },
    {
      "name": "CVE-2025-48734",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-48734"
    }
  ],
  "initial_release_date": "2025-07-18T00:00:00",
  "last_revision_date": "2025-07-18T00:00:00",
  "links": [],
  "reference": "CERTFR-2025-AVI-0608",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2025-07-18T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Injection de requ\u00eates ill\u00e9gitimes par rebond (CSRF)"
    },
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    },
    {
      "description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
    },
    {
      "description": "Falsification de requ\u00eates c\u00f4t\u00e9 serveur (SSRF)"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits IBM. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0 distance et une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits IBM",
  "vendor_advisories": [
    {
      "published_at": "2025-07-14",
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7239645",
      "url": "https://www.ibm.com/support/pages/node/7239645"
    },
    {
      "published_at": "2025-07-14",
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7239617",
      "url": "https://www.ibm.com/support/pages/node/7239617"
    },
    {
      "published_at": "2025-07-15",
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7239753",
      "url": "https://www.ibm.com/support/pages/node/7239753"
    },
    {
      "published_at": "2025-07-15",
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7239757",
      "url": "https://www.ibm.com/support/pages/node/7239757"
    },
    {
      "published_at": "2025-07-16",
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7239856",
      "url": "https://www.ibm.com/support/pages/node/7239856"
    },
    {
      "published_at": "2025-07-11",
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7239492",
      "url": "https://www.ibm.com/support/pages/node/7239492"
    },
    {
      "published_at": "2025-07-15",
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 6615285",
      "url": "https://www.ibm.com/support/pages/node/6615285"
    },
    {
      "published_at": "2025-07-15",
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7239816",
      "url": "https://www.ibm.com/support/pages/node/7239816"
    },
    {
      "published_at": "2025-07-11",
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7239564",
      "url": "https://www.ibm.com/support/pages/node/7239564"
    },
    {
      "published_at": "2025-07-14",
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7239627",
      "url": "https://www.ibm.com/support/pages/node/7239627"
    },
    {
      "published_at": "2025-07-14",
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7239598",
      "url": "https://www.ibm.com/support/pages/node/7239598"
    }
  ]
}

CERTFR-2022-AVI-785

Vulnerability from certfr_avis - Published: 2022-09-01 - Updated: 2022-09-01

De multiples vulnérabilités ont été découvertes dans IBM Cognos Analytics. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et un contournement de la politique de sécurité.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

	Vendor	Product	Description
	IBM	Cognos Analytics	IBM Cognos Analytics versions 11.1.x antérieures à 11.1.7 Fix Pack 5
	IBM	Cognos Analytics	IBM Cognos Analytics versions 11.2.x antérieures à 11.2.3

References

Title

Publication Time

Tags

Bulletin de sécurité IBM 6615285 du 31 août 2022

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "IBM Cognos Analytics versions 11.1.x ant\u00e9rieures \u00e0 11.1.7 Fix Pack 5",
      "product": {
        "name": "Cognos Analytics",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "IBM Cognos Analytics versions 11.2.x ant\u00e9rieures \u00e0 11.2.3",
      "product": {
        "name": "Cognos Analytics",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2020-4301",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-4301"
    },
    {
      "name": "CVE-2021-20468",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-20468"
    },
    {
      "name": "CVE-2021-29823",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-29823"
    },
    {
      "name": "CVE-2021-44532",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-44532"
    },
    {
      "name": "CVE-2022-36773",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-36773"
    },
    {
      "name": "CVE-2021-3807",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-3807"
    },
    {
      "name": "CVE-2022-29078",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-29078"
    },
    {
      "name": "CVE-2021-23438",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-23438"
    },
    {
      "name": "CVE-2021-43797",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-43797"
    },
    {
      "name": "CVE-2022-30614",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-30614"
    },
    {
      "name": "CVE-2021-44533",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-44533"
    },
    {
      "name": "CVE-2021-29418",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-29418"
    },
    {
      "name": "CVE-2020-36518",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-36518"
    },
    {
      "name": "CVE-2021-39045",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-39045"
    },
    {
      "name": "CVE-2022-21824",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-21824"
    },
    {
      "name": "CVE-2022-21803",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-21803"
    },
    {
      "name": "CVE-2021-39009",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-39009"
    },
    {
      "name": "CVE-2021-44531",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-44531"
    },
    {
      "name": "CVE-2021-28918",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-28918"
    },
    {
      "name": "CVE-2020-28469",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-28469"
    },
    {
      "name": "CVE-2021-3749",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-3749"
    }
  ],
  "initial_release_date": "2022-09-01T00:00:00",
  "last_revision_date": "2022-09-01T00:00:00",
  "links": [],
  "reference": "CERTFR-2022-AVI-785",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2022-09-01T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    },
    {
      "description": "Injection de requ\u00eates ill\u00e9gitimes par rebond (CSRF)"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans IBM Cognos\nAnalytics. Certaines d\u0027entre elles permettent \u00e0 un attaquant de\nprovoquer une ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de\nservice \u00e0 distance et un contournement de la politique de s\u00e9curit\u00e9.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans IBM Cognos Analytics",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 6615285 du 31 ao\u00fbt 2022",
      "url": "https://www.ibm.com/support/pages/node/6615285"
    }
  ]
}

FKIE_CVE-2021-29418

Vulnerability from fkie_nvd - Published: 2021-03-30 07:15 - Updated: 2024-11-21 06:01

Severity ?

5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Summary

References

URL	Tags
cve@mitre.org	https://github.com/rs/node-netmask/commit/3f19a056c4eb808ea4a29f234274c67bc5a848f4	Patch, Third Party Advisory
cve@mitre.org	https://security.netapp.com/advisory/ntap-20210604-0001/	Third Party Advisory
cve@mitre.org	https://vuln.ryotak.me/advisories/6	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/rs/node-netmask/commit/3f19a056c4eb808ea4a29f234274c67bc5a848f4	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://security.netapp.com/advisory/ntap-20210604-0001/	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://vuln.ryotak.me/advisories/6	Third Party Advisory

Impacted products

	Vendor	Product	Version
	netmask_project	netmask	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:netmask_project:netmask:*:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "3CFF67CA-6DE5-47E3-9D52-EA33D9F3B17C",
              "versionEndExcluding": "2.0.1",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The netmask package before 2.0.1 for Node.js mishandles certain unexpected characters in an IP address string, such as an octal digit of 9. This (in some situations) allows attackers to bypass access control that is based on IP addresses. NOTE: this issue exists because of an incomplete fix for CVE-2021-28918."
    },
    {
      "lang": "es",
      "value": "El paquete netmask versiones anteriores a 2.0.1 para Node.js, maneja inapropiadamente determinados caracteres inesperados en una cadena de direcciones IP, como un d\u00edgito octal de 9. Esto (en algunas situaciones) permite a atacantes omitir el control de acceso que es basado en direcciones IP.\u0026#xa0;NOTA: este problema se presenta debido a una correcci\u00f3n incompleta para el CVE-2021-28918."
    }
  ],
  "id": "CVE-2021-29418",
  "lastModified": "2024-11-21T06:01:03.680",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 5.0,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2021-03-30T07:15:13.113",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/rs/node-netmask/commit/3f19a056c4eb808ea4a29f234274c67bc5a848f4"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20210604-0001/"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://vuln.ryotak.me/advisories/6"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/rs/node-netmask/commit/3f19a056c4eb808ea4a29f234274c67bc5a848f4"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20210604-0001/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://vuln.ryotak.me/advisories/6"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-20"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-PCH5-WHG9-QR2R

Vulnerability from github – Published: 2021-03-29 21:32 – Updated: 2023-09-08 20:25

Summary

netmask npm package mishandles octal input data

Details

Severity ?

5.3 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "netmask"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-29418"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-03-29T21:31:24Z",
    "nvd_published_at": "2021-03-30T07:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The netmask package before 2.0.1 for Node.js mishandles certain unexpected characters in an IP address string, such as an octal digit of 9. This (in some situations) allows attackers to bypass access control that is based on IP addresses. NOTE: this issue exists because of an incomplete fix for CVE-2021-28918.",
  "id": "GHSA-pch5-whg9-qr2r",
  "modified": "2023-09-08T20:25:35Z",
  "published": "2021-03-29T21:32:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29418"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rs/node-netmask/commit/3f19a056c4eb808ea4a29f234274c67bc5a848f4"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20210604-0001"
    },
    {
      "type": "WEB",
      "url": "https://sick.codes/sick-2021-011"
    },
    {
      "type": "WEB",
      "url": "https://sick.codes/universal-netmask-npm-package-used-by-270000-projects-vulnerable-to-octal-input-data-server-side-request-forgery-remote-file-inclusion-local-file-inclusion-and-more-cve-2021-28918"
    },
    {
      "type": "WEB",
      "url": "https://vuln.ryotak.me/advisories/6"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/package/netmask"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "netmask npm package mishandles octal input data"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2021-29418 (GCVE-0-2021-29418)

GSD-2021-29418

CERTFR-2025-AVI-0608

Solutions

CERTFR-2022-AVI-785

Solution

FKIE_CVE-2021-29418

GHSA-PCH5-WHG9-QR2R

Tags

Sightings

Nomenclature