CVE-2021-22918
First published: Thu Jul 01 2021(Updated: )
Node.js is vulnerable to a denial of service, caused by an out-of-bounds read in the libuv's uv__idna_toascii() function. By invoking the function using dns module's lookup() function, a remote attacker could exploit this vulnerability to obtain sensitive information or cause a denial of service.
Credit: support@hackerone.com support@hackerone.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| >=12.0.0<12.22.2 | ||
| >=14.0.0<14.17.2 | ||
| >=16.0.0<16.4.1 | ||
| <1.0.1.1 | ||
| Nodejs Node.js | >=12.0.0<12.22.2 | |
| Nodejs Node.js | >=14.0.0<14.17.2 | |
| Nodejs Node.js | >=16.0.0<16.4.1 | |
| Siemens Sinec Infrastructure Network Services | <1.0.1.1 | |
| redhat/node | <16.4.1 | 16.4.1 |
| redhat/node | <14.17.2 | 14.17.2 |
| redhat/node | <12.22.2 | 12.22.2 |
| redhat/libuv | <1.41.1 | 1.41.1 |
| redhat/libuv | <1:1.41.1-1.el8_4 | 1:1.41.1-1.el8_4 |
| redhat/rh-nodejs12-nodejs | <0:12.22.2-1.el7 | 0:12.22.2-1.el7 |
| redhat/rh-nodejs12-nodejs-nodemon | <0:2.0.3-2.el7 | 0:2.0.3-2.el7 |
| redhat/rh-nodejs14-nodejs | <0:14.17.2-1.el7 | 0:14.17.2-1.el7 |
| redhat/rh-nodejs14-nodejs-nodemon | <0:2.0.3-2.el7 | 0:2.0.3-2.el7 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://exchange.xforce.ibmcloud.com/vulnerabilities/204784
- https://www.ibm.com/support/pages/node/6570957 (Advisory)
- https://hackerone.com/reports/1209681
- https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/
- https://security.netapp.com/advisory/ntap-20210805-0003/
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
- https://security.gentoo.org/glsa/202401-23
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1979345
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1979339
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1979346
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1979340
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1979341
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1979342
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1979343
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1979344
- https://github.com/libuv/libuv/commit/b7466e31e4bee160d82a68fca11b1f61d46debae
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1979598
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1979591
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1979592
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1979593
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1979599
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1979595
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1979596
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1979597
- https://github.com/nodejs/node/commit/d33aead28bcec32a2a450f884907a6d971631829
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1979925
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1979924
- https://github.com/libuv/libuv/commit/6dd44caa
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1980076
- https://access.redhat.com/errata/RHSA-2021:2931
- https://access.redhat.com/errata/RHSA-2021:2932
- https://access.redhat.com/security/cve/cve-2021-22918
- https://access.redhat.com/errata/RHSA-2021:3073
- https://access.redhat.com/errata/RHSA-2021:3074
- https://access.redhat.com/errata/RHSA-2021:3075
- https://access.redhat.com/errata/RHSA-2021:3639
- https://access.redhat.com/errata/RHSA-2021:3638
- https://bugzilla.redhat.com/show_bug.cgi?id=1979338
- https://www.cve.org/CVERecord?id=CVE-2021-22918 https://nvd.nist.gov/vuln/detail/CVE-2021-22918 https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the severity of CVE-2021-22918?
The severity of CVE-2021-22918 is medium with a CVSS score of 6.5.
Which versions of Node.js are affected by CVE-2021-22918?
Node.js versions before 16.4.1, 14.17.2, and 12.22.2 are affected by CVE-2021-22918.
How can I fix CVE-2021-22918?
To fix CVE-2021-22918, update Node.js to version 16.4.1, 14.17.2, or 12.22.2.
What is the Common Weakness Enumeration (CWE) for CVE-2021-22918?
The Common Weakness Enumeration (CWE) for CVE-2021-22918 is CWE-125.
Where can I find more information about CVE-2021-22918?
You can find more information about CVE-2021-22918 at the following references: [link1], [link2], [link3], [link4], [link5].
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/type
- agent/weakness
- collector/ibm-support
- collector/mitre-cve
- source/MITRE
- collector/nvd-api
- source/NVD
- collector/nvd-index
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-22918
- agent/software-canonical-lookup
- collector/redhat-cve
- vendor/nodejs
- vendor/siemens
- canonical/nodejs node.js
- version/nodejs node.js/12.0.0
- version/nodejs node.js/14.0.0
- version/nodejs node.js/16.0.0
- canonical/siemens sinec infrastructure network services
- package-manager/redhat