CVE-2021-22921

CWE-732 — Incorrect Permission Assignment4 documents4 sources

Severity

7.8HIGH

EPSS

0.5%

top 32.88%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nodejs Node Nodejs Node.js Siemens Sinec Infrastructure Network Services

Timeline

PublishedJul 12

Latest updateJul 13

Description

Node.js before 16.4.1, 14.17.2, and 12.22.2 is vulnerable to local privilege escalation attacks under certain conditions on Windows platforms. More specifically, improper configuration of permissions in the installation directory allows an attacker to perform two different escalation attacks: PATH and DLL hijacking.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages3 packages

▶CVEListV5nodejs/node4.0 — 4.*+12

▶NVDnodejs/node.js12.0.0 — 12.22.2+2

▶NVDsiemens/sinec_infrastructure_network_services< 1.0.1.1

Patches

Patch: cert-portal.siemens.com ↗Patch: nodejs.org ↗Patch: cert-portal.siemens.com ↗

🔴Vulnerability Details

GHSA

Incorrect Permission Assignment for Critical Resource in Node↗2021-07-13

▶

CVEList

CVE-2021-22921: Node↗2021-07-12

▶

📋Vendor Advisories

Debian

CVE-2021-22921: nodejs - Node.js before 16.4.1, 14.17.2, and 12.22.2 is vulnerable to local privilege esc...↗2021

▶