CVE-2021-22918

CVE-2021-22918

Name

CVE-2021-22918

Description

Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. This can lead to information disclosures or crashes. This function can be triggered via uv_getaddrinfo().

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
MISC	https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/
MISC	https://hackerone.com/reports/1209681
Third Party Advisory	https://security.netapp.com/advisory/ntap-20210805-0003/
Patch	https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
support@hackerone.com	https://security.gentoo.org/glsa/202401-23

Type

URI

MISC

https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/

MISC

https://hackerone.com/reports/1209681

Third Party Advisory

https://security.netapp.com/advisory/ntap-20210805-0003/

Patch

https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf

support@hackerone.com

https://security.gentoo.org/glsa/202401-23

Match rules

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:nodejs:node.js:::::-:::*`	nodejs	>= 12.0.0	< 12.22.2
`cpe:2.3:a:nodejs:node.js:::::-:::*`	nodejs	>= 14.0.0	< 14.17.2
`cpe:2.3:a:nodejs:node.js:::::-:::*`	nodejs	>= 16.0.0	<= 16.4.1

CPE URI

Source package

Min version

Max version

cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*

nodejs

>= 12.0.0

< 12.22.2

cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*

nodejs

>= 14.0.0

< 14.17.2

cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*

nodejs

>= 16.0.0

<= 16.4.1

References

Match rules

Vulnerable and fixed packages