CVE-2021-22930

Опубликовано: 07 окт. 2021

Источник: debian

EPSS Низкий

Описание

Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.

Пакеты

Пакет	Статус	Версия исправления	Релиз	Тип
nodejs	fixed	12.22.4~dfsg-1		package
nodejs	fixed	12.22.5~dfsg-2~11u1	bullseye	package
nodejs	end-of-life		stretch	package

Примечания

https://github.com/nodejs/node/issues/38964
https://github.com/nodejs/node/commit/b263f2585ab53f56e0e22b46cf1f8519a8af8a05 (v12.22.4)
https://nodejs.org/en/blog/vulnerability/july-2021-security-releases-2/#use-after-free-on-close-http2-on-stream-canceling-high-cve-2021-22930
Possible incomplete fix (at least for v12): https://github.com/nodejs/node/issues/38964#issuecomment-889936936
CVE for the incomplete fix tracked as CVE-2021-22940

EPSS

Процентиль: 63%

0.00452

Низкий

Связанные уязвимости

CVE-2021-22930

CVSS3: 9.8

ubuntu

больше 3 лет назад

Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.

CVE-2021-22930

CVSS3: 9.8

redhat

почти 4 года назад

Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.

CVE-2021-22930

CVSS3: 9.8

nvd

больше 3 лет назад

Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.

CVE-2021-22930

CVSS3: 9.8

msrc

больше 3 лет назад

Описание отсутствует

openSUSE-SU-2021:3294-1

suse-cvrf

больше 3 лет назад

Security update for nodejs8

EPSS

Процентиль: 63%

0.00452

Низкий