Vulnerability Details : CVE-2021-23406
This affects the package pac-resolver before 5.0.0. This can occur when used with untrusted input, due to unsafe PAC file handling. **NOTE:** The fix for this vulnerability is applied in the node-degenerator library, a dependency written by the same maintainer.
Products affected by CVE-2021-23406
- cpe:2.3:a:pac-resolver_project:pac-resolver:*:*:*:*:*:node.js:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-23406
0.46%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 75 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-23406
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST | |
8.1
|
HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
2.2
|
5.9
|
Snyk |
References for CVE-2021-23406
-
https://snyk.io/vuln/SNYK-JS-PACRESOLVER-1564857
Remote Code Execution (RCE) in pac-resolver | SnykExploit;Patch;Third Party Advisory
-
https://github.com/TooTallNate/node-pac-resolver/releases/tag/5.0.0
Release 5.0.0 · TooTallNate/node-pac-resolver · GitHubPatch;Release Notes;Third Party Advisory
-
https://github.com/TooTallNate/node-degenerator/commit/9d25bb67d957bc2e5425fea7bf7a58b3fc64ff9e
Fix `filename` option · TooTallNate/node-degenerator@9d25bb6 · GitHubPatch;Third Party Advisory
-
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1568506
Remote Code Execution (RCE) in org.webjars.npm:pac-resolver | SnykExploit;Patch;Third Party Advisory
-
https://github.com/TooTallNate/node-degenerator/commit/ccc3445354135398b6eb1a04c7d27c13b833f2d5
Fix return `undefined` · TooTallNate/node-degenerator@ccc3445 · GitHubPatch;Third Party Advisory
Jump to