5.3

CVE-2021-22918

Exploit

EPSS 0.72%
Published 12.07.2021 11:15:07
Last modified 21.11.2024 05:50:54
Source support@hackerone.com
Teams watchlist Login
Open Login

Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. This can lead to information disclosures or crashes. This function can be triggered via uv_getaddrinfo().

Affected products Warnungen 0 Metrics 3 CWE 1 References 8

Data is provided by the National Vulnerability Database (NVD)

Nodejs ≫ Node.Js SwEdition- Version >= 12.0.0 < 12.22.2

Nodejs ≫ Node.Js SwEdition- Version >= 14.0.0 < 14.17.2

Nodejs ≫ Node.Js SwEdition- Version >= 16.0.0 < 16.4.1

Siemens ≫ Sinec Infrastructure Network Services Version < 1.0.1.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.72%	0.716

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:P/I:N/A:N

CWE-125 Out-of-bounds Read

The product reads data past the end, or before the beginning, of the intended buffer.

https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf

Patch

Third Party Advisory

https://hackerone.com/reports/1209681

Third Party Advisory

Exploit

https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/

Patch

Vendor Advisory

https://security.gentoo.org/glsa/202401-23

https://security.netapp.com/advisory/ntap-20210805-0003/

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2021-22918

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-22918

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-22918

EUVD