Missing Initialization of Resource

CVE-2021-23386

Medium

6.5/10

Summary

This affects the package dns-packet before versions 1.3.2, and 2.0.0 before 5.2.2. It creates buffers with allocUnsafe and does not always fill them before forming network packets. This can expose internal application memory over unencrypted network when querying crafted invalid domain names.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: LOW
Confidentiality Impact: HIGH
Availability Impact: NONE

CWE-909 - Missing Initialization of Resource

The software does not initialize a critical resource.

References

Advisory

Advisory Timeline

Published May 20, 2021

Missing Initialization of Resource

CVE-2021-23386

Summary

CWE-909 - Missing Initialization of Resource

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS