CVE-2021-22883

EPSS 87.36%
Published 03.03.2021 18:15:14
Last modified 21.11.2024 05:50:49
Source support@hackerone.com
Teams watchlist Login
Open Login

Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to a denial of service attack when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory.

Affected products Warnungen 0 Metrics 3 CWE 2 References 13

Data is provided by the National Vulnerability Database (NVD)

Nodejs ≫ Node.Js SwEditionlts Version >= 10.0.0 < 10.24.0

Nodejs ≫ Node.Js SwEditionlts Version >= 12.0.0 < 12.21.0

Nodejs ≫ Node.Js SwEditionlts Version >= 14.0.0 < 14.16.0

Nodejs ≫ Node.Js SwEdition- Version >= 15.0.0 < 15.10.0

Fedoraproject ≫ Fedora Version32

Fedoraproject ≫ Fedora Version33

Fedoraproject ≫ Fedora Version34

Netapp ≫ E-series Performance Analyzer Version-

Oracle ≫ Graalvm Version19.3.5 SwEditionenterprise

Oracle ≫ Graalvm Version20.3.1.2 SwEditionenterprise

Oracle ≫ Graalvm Version21.0.0.2 SwEditionenterprise

Oracle ≫ Jd Edwards Enterpriseone Tools Version < 9.2.6.0

Oracle ≫ Mysql Cluster Version <= 8.0.25

Oracle ≫ Nosql Database Version < 20.3

Oracle ≫ Peoplesoft Enterprise Peopletools Version8.58

Oracle ≫ Peoplesoft Enterprise Peopletools Version8.59

Siemens ≫ Sinec Infrastructure Network Services Version < 1.0.1.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	87.36%	0.994

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvd@nist.gov	7.8	10	6.9	AV:N/AC:L/Au:N/C:N/I:N/A:C

CWE-400 Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

CWE-772 Missing Release of Resource after Effective Lifetime

The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.

https://www.oracle.com//security-alerts/cpujul2021.html

Patch

Third Party Advisory

https://www.oracle.com/security-alerts/cpuoct2021.html

Patch

Third Party Advisory

https://www.oracle.com/security-alerts/cpuApr2021.html

Patch

Third Party Advisory

https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf