Описание
Node.js before 16.6.1, 14.17.5, and 12.22.5 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.
A flaw was found in Node.js, where it is vulnerable to a use-after-free attack. This flaw allows an attacker to exploit memory corruption to change process behavior. The highest threat from this vulnerability is to confidentiality and integrity.
Отчет
This issue is a follow-up to CVE-2021-22930, as the issue was not completely resolved in the fix for CVE-2021-22930. Node.js as shipped in Red Hat Enterprise Linux 8 streams and Red Hat Software Collections is not explicitly affected by the incomplete fix because the incomplete fix was not released, but the original issue does affect these components. Red Hat Quay from version 3.4 consumes nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally there is no impact from this issue on Quay 3.3 and 3.2 because nodejs is only used at build time and is no longer shipped, starting with Quay 3.5 [2]. [1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security [2] https://issues.redhat.com/browse/PROJQUAY-1409 Therefore Quay component is marked as "Will not fix" with impact LOW.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 8 | nodejs:16/nodejs | Not affected | ||
| Red Hat Enterprise Linux 9 | nodejs | Not affected | ||
| Red Hat Quay 3 | quay/quay-rhel8 | Will not fix | ||
| Red Hat Enterprise Linux 8 | nodejs | Fixed | RHSA-2021:3623 | 21.09.2021 |
| Red Hat Enterprise Linux 8 | nodejs | Fixed | RHSA-2021:3666 | 27.09.2021 |
| Red Hat Enterprise Linux 8.1 Extended Update Support | nodejs | Fixed | RHSA-2021:3639 | 22.09.2021 |
| Red Hat Enterprise Linux 8.2 Extended Update Support | nodejs | Fixed | RHSA-2021:3638 | 22.09.2021 |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | rh-nodejs14-nodejs | Fixed | RHSA-2021:3280 | 26.08.2021 |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | rh-nodejs12-nodejs | Fixed | RHSA-2021:3281 | 26.08.2021 |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | rh-nodejs12-nodejs-nodemon | Fixed | RHSA-2021:3281 | 26.08.2021 |
Показывать по
Дополнительная информация
Статус:
7.5 High
CVSS3
Связанные уязвимости
Node.js before 16.6.1, 14.17.5, and 12.22.5 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.
Node.js before 16.6.1, 14.17.5, and 12.22.5 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.
Node.js before 16.6.1, 14.17.5, and 12.22.5 is vulnerable to a use aft ...
Node.js before 16.6.1, 14.17.5, and 12.22.5 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.
Уязвимость программной платформы Node.js, связанная с использованием памяти после её освобождения, позволяющая нарушителю оказать воздействие на целостность данных
7.5 High
CVSS3