Incorrect Type Conversion or Cast

CVE-2021-28918

High

9.1/10

Summary

Improper input validation of octal strings in the netmask npm package versions through 1.0.6 allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many of the dependent packages. A remote unauthenticated attacker can bypass packages relying on netmask to filter IPs and reach critical VPN or LAN hosts.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: HIGH
Availability Impact: NONE

CWE-704 - Incorrect Type Conversion or Cast

The software does not correctly convert an object, resource, or structure from one type to a different type.

References

Advisory
Release Note
Disclosure

Advisory Timeline

Published Apr 01, 2021

Incorrect Type Conversion or Cast

CVE-2021-28918

Summary

CWE-704 - Incorrect Type Conversion or Cast

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS