Security researchers have discovered a critical network failure, recorded as CVE-2021-28918, in the npm network mask, commonly used by thousands of applications to analyze IPv4 addresses and CIDR blocks (method used to distribute IP addresses and do routing) or compare them.
The npm netmask library generally records more than 3 million weekly downloads and, throughout its existence, has reached more than 238 million complete downloads. In addition, almost 278 thousand GitHub repositories depend on the netmask. Due to the failure of inappropriate input validation, the netmask identifies a different IP and this failure may allow hackers to be able to spoof the server-side request (SSRF) in downstream applications.
Security researchers Victor Viale, Sick Codes, Nick Sahler, Kelly Kaoudis and John Jackson were responsible for tracking the vulnerability in the popular network mask library. The flaw was initially detected when they were designing a patch for a separate, critical SSRF (CVE-2020-28360) flaw in the downstream Private-IP package, which helps prevent personal IP addresses from communicating with an application’s internal resources.
Security researchers first discovered the flaw on March 16 and advised developers to use the node.js programming language to examine their designs for use of the netmask and update immediately if they identify the package in use.
Olivier Poitrey, netmask developer and engineering director at Netflix, has released a series of patches for the bug on GitHub. With international news agencies.
See the original post at: https://www.cisoadvisor.com.br/278-mil-repositorios-github-foram-afetados-por-falha-critica-de-rede-dizem-analistas/?rand=59039