CVE-2021-22918

Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. This can lead to information disclosures or crashes. This function can be triggered via uv_getaddrinfo().
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*

Configuration 2 (hide)

cpe:2.3:a:siemens:sinec_infrastructure_network_services:*:*:*:*:*:*:*:*

History

21 Nov 2024, 05:50

Type Values Removed Values Added
References () https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf - Patch, Third Party Advisory () https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf - Patch, Third Party Advisory
References () https://hackerone.com/reports/1209681 - Exploit, Third Party Advisory () https://hackerone.com/reports/1209681 - Exploit, Third Party Advisory
References () https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/ - Patch, Vendor Advisory () https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/ - Patch, Vendor Advisory
References () https://security.gentoo.org/glsa/202401-23 - () https://security.gentoo.org/glsa/202401-23 -
References () https://security.netapp.com/advisory/ntap-20210805-0003/ - Third Party Advisory () https://security.netapp.com/advisory/ntap-20210805-0003/ - Third Party Advisory

16 Jan 2024, 13:15

Type Values Removed Values Added
References
  • () https://security.gentoo.org/glsa/202401-23 -

06 Apr 2022, 15:01

Type Values Removed Values Added
CPE cpe:2.3:a:siemens:sinec_infrastructure_network_services:*:*:*:*:*:*:*:*
References (MISC) https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/ - Vendor Advisory (MISC) https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/ - Patch, Vendor Advisory
References (CONFIRM) https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf - (CONFIRM) https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf - Patch, Third Party Advisory

10 Mar 2022, 17:41

Type Values Removed Values Added
References
  • (CONFIRM) https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf -

20 Sep 2021, 12:30

Type Values Removed Values Added
References
  • (CONFIRM) https://security.netapp.com/advisory/ntap-20210805-0003/ - Third Party Advisory

20 Jul 2021, 17:57

Type Values Removed Values Added
CVSS v2 : 6.4
v3 : 8.2
v2 : 5.0
v3 : 5.3

15 Jul 2021, 12:58

Type Values Removed Values Added
CWE CWE-125
References (MISC) https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/ - (MISC) https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/ - Vendor Advisory
References (MISC) https://hackerone.com/reports/1209681 - (MISC) https://hackerone.com/reports/1209681 - Exploit, Third Party Advisory
CPE cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
CVSS v2 : unknown
v3 : unknown
v2 : 6.4
v3 : 8.2

12 Jul 2021, 11:45

Type Values Removed Values Added
New CVE

Information

Published : 2021-07-12 11:15

Updated : 2024-11-21 05:50


NVD link : CVE-2021-22918

Mitre link : CVE-2021-22918

CVE.ORG link : CVE-2021-22918


JSON object : View

Products Affected

nodejs

  • node.js

siemens

  • sinec_infrastructure_network_services
CWE
CWE-125

Out-of-bounds Read