CVE-2021-22930

Опубликовано: 29 июл. 2021

Источник: redhat

CVSS3: 9.8

EPSS Низкий

Описание

Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.

A flaw was found in Node.js, where it is vulnerable to a use-after-free attack. This flaw allows an attacker to exploit the memory corruption, which causes a change in the process behavior. The highest threat from this vulnerability is to confidentiality and integrity.

Отчет

Red Hat Quay from version 3.4 consumes nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally there is no impact from this issue on Quay 3.3 and 3.2 because nodejs is only used at build time and is no longer shipped, starting with Quay 3.5 [2]. [1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security [2] https://issues.redhat.com/browse/PROJQUAY-1409 Therefore Quay component is marked as "Will not fix" with impact LOW.

Затронутые пакеты

Платформа	Пакет	Состояние	Рекомендация	Релиз
Red Hat Enterprise Linux 8	nodejs:16/nodejs	Not affected
Red Hat Enterprise Linux 9	nodejs	Not affected
Red Hat Quay 3	quay/quay-rhel8	Will not fix
Red Hat Enterprise Linux 8	nodejs	Fixed	RHSA-2021:3623	21.09.2021
Red Hat Enterprise Linux 8	nodejs	Fixed	RHSA-2021:3666	27.09.2021
Red Hat Enterprise Linux 8.1 Extended Update Support	nodejs	Fixed	RHSA-2021:3639	22.09.2021
Red Hat Enterprise Linux 8.2 Extended Update Support	nodejs	Fixed	RHSA-2021:3638	22.09.2021
Red Hat Software Collections for Red Hat Enterprise Linux 7	rh-nodejs14-nodejs	Fixed	RHSA-2021:3280	26.08.2021
Red Hat Software Collections for Red Hat Enterprise Linux 7	rh-nodejs12-nodejs	Fixed	RHSA-2021:3281	26.08.2021
Red Hat Software Collections for Red Hat Enterprise Linux 7	rh-nodejs12-nodejs-nodemon	Fixed	RHSA-2021:3281	26.08.2021

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important

Дефект:

CWE-416

https://bugzilla.redhat.com/show_bug.cgi?id=1988394nodejs: Use-after-free on close http2 on stream canceling

EPSS

Процентиль: 63%

0.00452

Низкий

9.8 Critical

CVSS3

Связанные уязвимости

CVE-2021-22930

CVSS3: 9.8

ubuntu

больше 3 лет назад

Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.

CVE-2021-22930

CVSS3: 9.8

nvd

больше 3 лет назад

Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.

CVE-2021-22930

CVSS3: 9.8

msrc

больше 3 лет назад

Описание отсутствует

CVE-2021-22930

CVSS3: 9.8

debian

больше 3 лет назад

Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to a use aft ...

openSUSE-SU-2021:3294-1

suse-cvrf

больше 3 лет назад

Security update for nodejs8

EPSS

Процентиль: 63%

0.00452

Низкий

9.8 Critical

CVSS3