Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2021-22931

Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote Code Execution, XSS, Application crashes due to missing input validation of host names returned by Domain Name Servers in Node.js dns library which can lead to output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library.

Published

2021-08-16T19:15:13.127

Last Modified

2024-11-21T05:50:57.657

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 9.8 (CRITICAL)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

10.0

Impact Score

6.4

Weaknesses

Type: Secondary
CWE-170
Type: Primary
CWE-20

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	nodejs	node.js	≤ 12.12.0	Yes
Application	nodejs	node.js	< 12.22.5	Yes
Application	nodejs	node.js	≤ 14.14.0	Yes
Application	nodejs	node.js	< 14.17.5	Yes
Application	nodejs	node.js	< 16.6.2	Yes
Application	netapp	active_iq_unified_manager	-	Yes
Application	netapp	active_iq_unified_manager	-	Yes
Application	netapp	nextgen_api	-	Yes
Application	netapp	oncommand_insight	-	Yes
Application	netapp	oncommand_workflow_automation	-	Yes
Application	netapp	snapcenter	-	Yes
Application	oracle	graalvm	20.3.3	Yes
Application	oracle	graalvm	21.2.0	Yes
Application	oracle	mysql_cluster	≤ 8.0.26	Yes
Application	oracle	peoplesoft_enterprise_peopletools	8.57	Yes
Application	oracle	peoplesoft_enterprise_peopletools	8.58	Yes
Application	oracle	peoplesoft_enterprise_peopletools	8.59	Yes
Application	siemens	sinec_infrastructure_network_services	< 1.0.1.1	Yes

References

https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf Patch, Third Party Advisory ([email protected])
https://hackerone.com/reports/1178337 Exploit, Issue Tracking, Third Party Advisory ([email protected])
https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/ Patch, Vendor Advisory ([email protected])
https://security.gentoo.org/glsa/202401-02 ([email protected])
https://security.netapp.com/advisory/ntap-20210923-0001/ Third Party Advisory ([email protected])
https://security.netapp.com/advisory/ntap-20211022-0003/ Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpujan2022.html Patch, Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpujul2022.html Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpuoct2021.html Patch, Third Party Advisory ([email protected])
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://hackerone.com/reports/1178337 Exploit, Issue Tracking, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/ Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.gentoo.org/glsa/202401-02 (af854a3a-2127-422b-91ae-364da2661108)
https://security.netapp.com/advisory/ntap-20210923-0001/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.netapp.com/advisory/ntap-20211022-0003/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpujan2022.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpujul2022.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpuoct2021.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)