First published: Wed Aug 11 2021(Updated: )
Node.js could allow a remote attacker to bypass security restrictions, caused by an incomplete fix for CVE-2021-22930 related to a use-after-free on close http2 on stream canceling. An attacker could exploit this vulnerability to corrupt memory to change process behavior.
Credit: support@hackerone.com support@hackerone.com
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/rh-nodejs14-nodejs | <0:14.17.5-1.el7 | 0:14.17.5-1.el7 |
redhat/rh-nodejs12-nodejs | <0:12.22.5-1.el7 | 0:12.22.5-1.el7 |
redhat/rh-nodejs12-nodejs-nodemon | <0:2.0.3-5.el7 | 0:2.0.3-5.el7 |
redhat/nodejs | <12.22.5 | 12.22.5 |
redhat/nodejs | <14.17.5 | 14.17.5 |
redhat/nodejs | <16.6.2 | 16.6.2 |
>=12.0.0<12.22.5 | ||
>=14.0.0<14.17.5 | ||
>=16.0.0<16.6.2 | ||
=20.3.3 | ||
=21.2.0 | ||
<=9.2.6.1 | ||
=8.57 | ||
=8.58 | ||
=8.59 | ||
<1.0.1.1 | ||
=10.0 | ||
Nodejs Node.js | >=12.0.0<12.22.5 | |
Nodejs Node.js | >=14.0.0<14.17.5 | |
Nodejs Node.js | >=16.0.0<16.6.2 | |
Oracle GraalVM | =20.3.3 | |
Oracle GraalVM | =21.2.0 | |
Oracle Jd Edwards Enterpriseone Tools | <=9.2.6.1 | |
Oracle PeopleSoft Enterprise PeopleTools | =8.57 | |
Oracle PeopleSoft Enterprise PeopleTools | =8.58 | |
Oracle PeopleSoft Enterprise PeopleTools | =8.59 | |
Netapp Nextgen Api | ||
Siemens Sinec Infrastructure Network Services | <1.0.1.1 | |
Debian Debian Linux | =10.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
The vulnerability ID for this Node.js vulnerability is CVE-2021-22940.
The severity of CVE-2021-22940 is high.
CVE-2021-22940 allows a remote attacker to bypass security restrictions and corrupt memory to change process behavior in Node.js.
Versions 12.22.5, 14.17.5, and prior are affected by CVE-2021-22940.
To fix the CVE-2021-22940 vulnerability in Node.js, update to version 16.6.1, 14.17.5, or 12.22.5 or later.