Vulnerability CVE-2021-22918: Information
Description
Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. This can lead to information disclosures or crashes. This function can be triggered via uv_getaddrinfo().
Severity: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Fixed packages
Package name | Branch | Fixed in version | Version from repository | Errata ID | Task # | State |
|---|---|---|---|---|---|---|
| libuv | sisyphus | 1.41.0-alt3 | 1.48.0-alt1 | ALT-PU-2021-2122-1 | 276697 | Fixed |
| libuv | sisyphus_riscv64 | 1.42.0-alt1 | 1.48.0-alt1 | ALT-PU-2022-3921-1 | - | Fixed |
| libuv | p10 | 1.41.0-alt3 | 1.44.2-alt0.p10.1 | ALT-PU-2021-2122-1 | 276697 | Fixed |
| libuv | p9 | 1.41.1-alt2 | 1.41.1-alt2 | ALT-PU-2021-2406-1 | 279921 | Fixed |
| libuv | c10f1 | 1.41.0-alt3 | 1.44.2-alt0.p10.1 | ALT-PU-2021-2122-1 | 276697 | Fixed |
| libuv | c9f2 | 1.44.1-alt1 | 1.48.0-alt1 | ALT-PU-2022-3070-1 | 303505 | Fixed |
| node | sisyphus | 14.17.2-alt1 | 20.12.2-alt1 | ALT-PU-2021-2123-1 | 276697 | Fixed |
| node | p10 | 14.17.2-alt1 | 16.19.1-alt1 | ALT-PU-2021-2123-1 | 276697 | Fixed |
| node | p9 | 14.17.2-alt1 | 14.17.2-alt1 | ALT-PU-2021-2407-1 | 279921 | Fixed |
| node | c10f1 | 14.17.2-alt1 | 16.19.1-alt1 | ALT-PU-2021-2123-1 | 276697 | Fixed |
| node | c9f2 | 16.17.1-alt0.c9.1 | 16.19.1-alt0.c9.1 | ALT-PU-2022-3073-1 | 303505 | Fixed |
References to Advisories, Solutions, and Tools
Hyperlink | Resource |
|---|---|
| https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/ |
|
| https://hackerone.com/reports/1209681 |
|
| https://security.netapp.com/advisory/ntap-20210805-0003/ |
|
| https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf |
|
| GLSA-202401-23 |