CVE-2021-22931

CVE-2021-22931

Name

CVE-2021-22931

Description

Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote Code Execution, XSS, Application crashes due to missing input validation of host names returned by Domain Name Servers in Node.js dns library which can lead to output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
MISC	https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/
MISC	https://hackerone.com/reports/1178337
CONFIRM	https://security.netapp.com/advisory/ntap-20210923-0001/
MISC	https://www.oracle.com/security-alerts/cpuoct2021.html
CONFIRM	https://security.netapp.com/advisory/ntap-20211022-0003/
Patch	https://www.oracle.com/security-alerts/cpujan2022.html
Patch	https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
support@hackerone.com	https://security.gentoo.org/glsa/202401-02
Third Party Advisory	https://www.oracle.com/security-alerts/cpujul2022.html

Type

URI

MISC

https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/

MISC

https://hackerone.com/reports/1178337

CONFIRM

https://security.netapp.com/advisory/ntap-20210923-0001/

MISC

https://www.oracle.com/security-alerts/cpuoct2021.html

CONFIRM

https://security.netapp.com/advisory/ntap-20211022-0003/

Patch

https://www.oracle.com/security-alerts/cpujan2022.html

Patch

https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf

support@hackerone.com

https://security.gentoo.org/glsa/202401-02

Third Party Advisory

https://www.oracle.com/security-alerts/cpujul2022.html

Match rules

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:nodejs:node.js:::::-:::*`	nodejs	>= 12.0.0	< 12.22.4
`cpe:2.3:a:nodejs:node.js:::::-:::*`	nodejs	>= 13.0.0	< 14.17.4
`cpe:2.3:a:nodejs:node.js:::::-:::*`	nodejs	>= 15.0.0	< 16.6.0
`cpe:2.3:a:nodejs:node.js:::::lts:::*`	nodejs	>= 14.0.0	< 14.17.4
`cpe:2.3:a:nodejs:node.js:::::-:::*`	nodejs	>= 16.0.0	< 16.6.0
`cpe:2.3:a:nodejs:node.js:::::-:::*`	nodejs	>= 12.0.0	<= 12.12.0
`cpe:2.3:a:nodejs:node.js:::::lts:::*`	nodejs	>= 12.13.0	< 12.22.5
`cpe:2.3:a:nodejs:node.js:::::-:::*`	nodejs	>= 14.0.0	<= 14.14.0
`cpe:2.3:a:nodejs:node.js:::::lts:::*`	nodejs	>= 14.15.0	< 14.17.5
`cpe:2.3:a:nodejs:node.js:::::-:::*`	nodejs	>= 16.0.0	< 16.6.2

CPE URI

Source package

Min version

Max version

cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*

nodejs

>= 12.0.0

< 12.22.4

cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*

nodejs

>= 13.0.0

< 14.17.4

cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*

nodejs

>= 15.0.0

< 16.6.0

cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*

nodejs

>= 14.0.0

< 14.17.4

cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*

nodejs

>= 16.0.0

< 16.6.0

cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*

nodejs

>= 12.0.0

<= 12.12.0

cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*

nodejs

>= 12.13.0

< 12.22.5

cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*

nodejs

>= 14.0.0

<= 14.14.0

cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*

nodejs

>= 14.15.0

< 14.17.5

cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*

nodejs

>= 16.0.0

< 16.6.2

Source package	Branch	Version	Maintainer	Status
nodejs-current	3.14-community	16.11.1-r0	Jose-Luis Rivas <ghostbar@riseup.net>	fixed

Source package

Branch

Version

Maintainer

Status

nodejs-current

3.14-community

16.11.1-r0

Jose-Luis Rivas <ghostbar@riseup.net>

fixed

References

Match rules

Vulnerable and fixed packages