CVE-2021-22930

Опубликовано: 07 окт. 2021

Источник: nvd

CVSS3: 9.8

CVSS2: 7.5

EPSS Низкий

Описание

Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.

Ссылки

https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
Patch
Third Party Advisory
https://hackerone.com/reports/1238162
Permissions Required
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/10/msg00006.html
Mailing List
Third Party Advisory
https://nodejs.org/en/blog/vulnerability/july-2021-security-releases-2/
Patch
Vendor Advisory
https://security.gentoo.org/glsa/202401-02
https://security.netapp.com/advisory/ntap-20211112-0002/
Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
Patch
Third Party Advisory
https://hackerone.com/reports/1238162
Permissions Required
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/10/msg00006.html
Mailing List
Third Party Advisory
https://nodejs.org/en/blog/vulnerability/july-2021-security-releases-2/
Patch
Vendor Advisory
https://security.gentoo.org/glsa/202401-02
https://security.netapp.com/advisory/ntap-20211112-0002/
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*

Версия от 12.0.0 (включая) до 12.22.4 (исключая)

cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*

Версия от 14.0.0 (включая) до 14.17.4 (исключая)

cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*

Версия от 16.0.0 (включая) до 16.6.0 (исключая)

Конфигурация 2

cpe:2.3:a:netapp:nextgen_api:-:*:*:*:*:*:*:*

Конфигурация 3

cpe:2.3:a:siemens:sinec_infrastructure_network_services:*:*:*:*:*:*:*:*

Версия до 1.0.1.1 (исключая)

Конфигурация 4

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

EPSS

Процентиль: 57%

0.00347

Низкий

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-416

Связанные уязвимости

CVE-2021-22930

CVSS3: 9.8

ubuntu

около 4 лет назад

Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.

CVE-2021-22930

CVSS3: 9.8

redhat

больше 4 лет назад

Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.

CVE-2021-22930

CVSS3: 9.8

msrc

почти 4 года назад

Node.js before 16.6.0 14.17.4 and 12.22.4 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption to change process behavior.

CVE-2021-22930

CVSS3: 9.8

debian

около 4 лет назад

Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to a use aft ...

openSUSE-SU-2021:3294-1

suse-cvrf

около 4 лет назад

Security update for nodejs8

EPSS

Процентиль: 57%

0.00347

Низкий

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-416