Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. This can lead to information disclosures or crashes. This function can be triggered via uv_getaddrinfo().
References
Link | Resource |
---|---|
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf | Patch Third Party Advisory |
https://hackerone.com/reports/1209681 | Exploit Third Party Advisory |
https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/ | Patch Vendor Advisory |
https://security.gentoo.org/glsa/202401-23 | |
https://security.netapp.com/advisory/ntap-20210805-0003/ | Third Party Advisory |
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf | Patch Third Party Advisory |
https://hackerone.com/reports/1209681 | Exploit Third Party Advisory |
https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/ | Patch Vendor Advisory |
https://security.gentoo.org/glsa/202401-23 | |
https://security.netapp.com/advisory/ntap-20210805-0003/ | Third Party Advisory |
Configurations
History
21 Nov 2024, 05:50
Type | Values Removed | Values Added |
---|---|---|
References | () https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf - Patch, Third Party Advisory | |
References | () https://hackerone.com/reports/1209681 - Exploit, Third Party Advisory | |
References | () https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/ - Patch, Vendor Advisory | |
References | () https://security.gentoo.org/glsa/202401-23 - | |
References | () https://security.netapp.com/advisory/ntap-20210805-0003/ - Third Party Advisory |
16 Jan 2024, 13:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
06 Apr 2022, 15:01
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:siemens:sinec_infrastructure_network_services:*:*:*:*:*:*:*:* | |
References | (MISC) https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/ - Patch, Vendor Advisory | |
References | (CONFIRM) https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf - Patch, Third Party Advisory |
10 Mar 2022, 17:41
Type | Values Removed | Values Added |
---|---|---|
References |
|
20 Sep 2021, 12:30
Type | Values Removed | Values Added |
---|---|---|
References |
|
20 Jul 2021, 17:57
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : 5.0
v3 : 5.3 |
15 Jul 2021, 12:58
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-125 | |
References | (MISC) https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/ - Vendor Advisory | |
References | (MISC) https://hackerone.com/reports/1209681 - Exploit, Third Party Advisory | |
CPE | cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:* | |
CVSS |
v2 : v3 : |
v2 : 6.4
v3 : 8.2 |
12 Jul 2021, 11:45
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2021-07-12 11:15
Updated : 2024-11-21 05:50
NVD link : CVE-2021-22918
Mitre link : CVE-2021-22918
CVE.ORG link : CVE-2021-22918
JSON object : View
Products Affected
nodejs
- node.js
siemens
- sinec_infrastructure_network_services
CWE
CWE-125
Out-of-bounds Read