CVE-2021-22930

Опубликовано: 29 июл. 2021

Источник: redhat

CVSS3: 9.8

Описание

Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.

A flaw was found in Node.js, where it is vulnerable to a use-after-free attack. This flaw allows an attacker to exploit the memory corruption, which causes a change in the process behavior. The highest threat from this vulnerability is to confidentiality and integrity.

Отчет

Red Hat Quay from version 3.4 consumes nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally there is no impact from this issue on Quay 3.3 and 3.2 because nodejs is only used at build time and is no longer shipped, starting with Quay 3.5 [2]. [1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security [2] https://issues.redhat.com/browse/PROJQUAY-1409 Therefore Quay component is marked as "Will not fix" with impact LOW.

Затронутые пакеты

Платформа	Пакет	Состояние	Рекомендация	Релиз
Red Hat Enterprise Linux 8	nodejs:16/nodejs	Not affected
Red Hat Enterprise Linux 9	nodejs	Not affected
Red Hat Quay 3	quay/quay-rhel8	Will not fix
Red Hat Enterprise Linux 8	nodejs	Fixed	RHSA-2021:3623	21.09.2021
Red Hat Enterprise Linux 8	nodejs	Fixed	RHSA-2021:3666	27.09.2021
Red Hat Enterprise Linux 8.1 Extended Update Support	nodejs	Fixed	RHSA-2021:3639	22.09.2021
Red Hat Enterprise Linux 8.2 Extended Update Support	nodejs	Fixed	RHSA-2021:3638	22.09.2021
Red Hat Software Collections for Red Hat Enterprise Linux 7	rh-nodejs14-nodejs	Fixed	RHSA-2021:3280	26.08.2021
Red Hat Software Collections for Red Hat Enterprise Linux 7	rh-nodejs12-nodejs	Fixed	RHSA-2021:3281	26.08.2021
Red Hat Software Collections for Red Hat Enterprise Linux 7	rh-nodejs12-nodejs-nodemon	Fixed	RHSA-2021:3281	26.08.2021

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important

Дефект:

CWE-416

https://bugzilla.redhat.com/show_bug.cgi?id=1988394nodejs: Use-after-free on close http2 on stream canceling

9.8 Critical

CVSS3

Связанные уязвимости

CVE-2021-22930

CVSS3: 9.8

ubuntu

около 4 лет назад

Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.

CVE-2021-22930

CVSS3: 9.8

nvd

около 4 лет назад

Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.

CVE-2021-22930

CVSS3: 9.8

msrc

почти 4 года назад

Node.js before 16.6.0 14.17.4 and 12.22.4 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption to change process behavior.

CVE-2021-22930

CVSS3: 9.8

debian

около 4 лет назад

Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to a use aft ...

openSUSE-SU-2021:3294-1

suse-cvrf

около 4 лет назад

Security update for nodejs8

9.8 Critical

CVSS3