Описание
Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. This can lead to information disclosures or crashes. This function can be triggered via uv_getaddrinfo().
A flaw has been found in libuv. Node.js is vulnerable to out-of-bounds read in libuv's uv__idna_toascii() function which is used to convert strings to ASCII which is called by Node's DNS module's lookup() function and can lead to information disclosures or crashes. The highest threat from this vulnerability is to system availability.
Отчет
As distributed by Red Hat, a maximum of 3 bytes out of bound can be read. This would not be sufficient to crash nodejs or other applications using libuv, unless it was recompiled using an address sanitizer. The memory disclosure is also very limited. Red Hat Quay version 3.5 does not ship nodejs. Red Hat Quay version 3.4 consumes the nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally there is no impact from this issue on Quay 3.3 and 3.2 because they don't use nodejs as a HTTP server. [1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| A-MQ Clients 2 | libuv | Fix deferred | ||
| A-MQ Interconnect 1 | libuv | Fix deferred | ||
| Red Hat Enterprise Linux 8 | nodejs:16/nodejs | Not affected | ||
| Red Hat Enterprise Linux 9 | libuv | Not affected | ||
| Red Hat Enterprise Linux 9 | nodejs | Not affected | ||
| Red Hat OpenStack Platform 13 (Queens) Operational Tools | libuv | Out of support scope | ||
| Red Hat Quay 3 | nodejs | Will not fix | ||
| Red Hat Enterprise Linux 8 | nodejs | Fixed | RHSA-2021:3073 | 10.08.2021 |
| Red Hat Enterprise Linux 8 | nodejs | Fixed | RHSA-2021:3074 | 10.08.2021 |
| Red Hat Enterprise Linux 8 | libuv | Fixed | RHSA-2021:3075 | 10.08.2021 |
Показывать по
Дополнительная информация
Статус:
5.3 Medium
CVSS3
Связанные уязвимости
Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. This can lead to information disclosures or crashes. This function can be triggered via uv_getaddrinfo().
Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. This can lead to information disclosures or crashes. This function can be triggered via uv_getaddrinfo().
Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bou ...
5.3 Medium
CVSS3