First published: Thu Jul 01 2021(Updated: )
A flaw has been found in libuv. Node.js is vulnerable to out-of-bounds read in libuv's uv__idna_toascii() function which is used to convert strings to ASCII which is called by Node's DNS module's lookup() function and can lead to information disclosures or crashes. The highest threat from this vulnerability is to system availability.
Credit: support@hackerone.com support@hackerone.com
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/libuv | <1:1.41.1-1.el8_4 | 1:1.41.1-1.el8_4 |
redhat/rh-nodejs12-nodejs | <0:12.22.2-1.el7 | 0:12.22.2-1.el7 |
redhat/rh-nodejs12-nodejs-nodemon | <0:2.0.3-2.el7 | 0:2.0.3-2.el7 |
redhat/rh-nodejs14-nodejs | <0:14.17.2-1.el7 | 0:14.17.2-1.el7 |
redhat/rh-nodejs14-nodejs-nodemon | <0:2.0.3-2.el7 | 0:2.0.3-2.el7 |
Nodejs Node.js | >=12.0.0<12.22.2 | |
Nodejs Node.js | >=14.0.0<14.17.2 | |
Nodejs Node.js | >=16.0.0<16.4.1 | |
Siemens Sinec Infrastructure Network Services | <1.0.1.1 | |
redhat/node | <16.4.1 | 16.4.1 |
redhat/node | <14.17.2 | 14.17.2 |
redhat/node | <12.22.2 | 12.22.2 |
redhat/libuv | <1.41.1 | 1.41.1 |
IBM Cognos Controller | <=11.0.0 - 11.0.1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
The severity of CVE-2021-22918 is medium with a CVSS score of 6.5.
Node.js versions before 16.4.1, 14.17.2, and 12.22.2 are affected by CVE-2021-22918.
To fix CVE-2021-22918, update Node.js to version 16.4.1, 14.17.2, or 12.22.2.
The Common Weakness Enumeration (CWE) for CVE-2021-22918 is CWE-125.
You can find more information about CVE-2021-22918 at the following references: [link1], [link2], [link3], [link4], [link5].