CVE-2021-22918

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. This can lead to information disclosures or crashes. This function can be triggered via uv_getaddrinfo().

References

https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/

https://hackerone.com/reports/1209681

https://security.netapp.com/advisory/ntap-20210805-0003/

Details

Source: MITRE

Published: 2021-07-12

Updated: 2021-09-20

Type: CWE-125

Risk Information

CVSS v2

Base Score: 5

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Impact Score: 2.9

Exploitability Score: 10

Severity: MEDIUM

CVSS v3

Base Score: 5.3

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Impact Score: 1.4

Exploitability Score: 3.9

Severity: MEDIUM

Tenable Plugins

View all (29 total)

IDNameProductFamilySeverity
153553RHEL 8 : nodejs:12 (RHSA-2021:3639)NessusRed Hat Local Security Checks
critical
153552RHEL 8 : nodejs:12 (RHSA-2021:3638)NessusRed Hat Local Security Checks
critical
152583CentOS 8 : libuv (CESA-2021:3075)NessusCentOS Local Security Checks
medium
152498Oracle Linux 8 : nodejs:12 (ELSA-2021-3073)NessusOracle Linux Local Security Checks
medium
152495Oracle Linux 8 : nodejs:14 (ELSA-2021-3074)NessusOracle Linux Local Security Checks
medium
152494Oracle Linux 8 : libuv (ELSA-2021-3075)NessusOracle Linux Local Security Checks
medium
152468CentOS 8 : nodejs:12 (CESA-2021:3073)NessusCentOS Local Security Checks
medium
152455CentOS 8 : nodejs:14 (CESA-2021:3074)NessusCentOS Local Security Checks
medium
152451RHEL 8 : nodejs:14 (RHSA-2021:3074)NessusRed Hat Local Security Checks
medium
152443RHEL 8 : nodejs:12 (RHSA-2021:3073)NessusRed Hat Local Security Checks
medium
152439RHEL 8 : libuv (RHSA-2021:3075)NessusRed Hat Local Security Checks
medium
152377Photon OS 4.0: Nodejs PHSA-2021-4.0-0074NessusPhotonOS Local Security Checks
medium
152272SUSE SLES12 Security Update : nodejs12 (SUSE-SU-2021:2326-1)NessusSuSE Local Security Checks
high
152133RHEL 7 : rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon (RHSA-2021:2932)NessusRed Hat Local Security Checks
medium
152132RHEL 7 : rh-nodejs12-nodejs and rh-nodejs12-nodejs-nodemon (RHSA-2021:2931)NessusRed Hat Local Security Checks
medium
151975Node.js 12.x < 12.22.2 / 14.x < 14.17.2 / 16.x < 16.4.1 Multiple VulnerabilitiesNessusMisc.
medium
151823openSUSE 15 Security Update : nodejs12 (openSUSE-SU-2021:1059-1)NessusSuSE Local Security Checks
high
151818openSUSE 15 Security Update : nodejs10 (openSUSE-SU-2021:1061-1)NessusSuSE Local Security Checks
high
151814openSUSE 15 Security Update : nodejs14 (openSUSE-SU-2021:1060-1)NessusSuSE Local Security Checks
high
151765SUSE SLES15 Security Update : nodejs14 (SUSE-SU-2021:2354-1)NessusSuSE Local Security Checks
high
151758SUSE SLES15 Security Update : nodejs10 (SUSE-SU-2021:2353-1)NessusSuSE Local Security Checks
high
151745openSUSE 15 Security Update : nodejs14 (openSUSE-SU-2021:2354-1)NessusSuSE Local Security Checks
high
151727openSUSE 15 Security Update : nodejs12 (openSUSE-SU-2021:2327-1)NessusSuSE Local Security Checks
high
151723openSUSE 15 Security Update : nodejs10 (openSUSE-SU-2021:2353-1)NessusSuSE Local Security Checks
high
151656SUSE SLES12 Security Update : nodejs10 (SUSE-SU-2021:2323-1)NessusSuSE Local Security Checks
high
151655SUSE SLES15 Security Update : nodejs12 (SUSE-SU-2021:2327-1)NessusSuSE Local Security Checks
high
151650SUSE SLES12 Security Update : nodejs14 (SUSE-SU-2021:2319-1)NessusSuSE Local Security Checks
high
151443Ubuntu 20.04 LTS / 20.10 / 21.04 : libuv vulnerability (USN-5007-1)NessusUbuntu Local Security Checks
medium
151422Debian DSA-4936-1 : libuv1 - security updateNessusDebian Local Security Checks
high