CVE-2021-22931

CWE-170 CWE-20 — Improper Input Validation CWE-22 — Path Traversal11 documents9 sources

Severity

9.8CRITICAL

EPSS

0.7%

top 28.86%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nodejs Node Nodejs Node.js Siemens Sinec Infrastructure Network Services +3 more

Timeline

PublishedAug 16

Latest updateJul 15

Description

Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote Code Execution, XSS, Application crashes due to missing input validation of host names returned by Domain Name Servers in Node.js dns library which can lead to output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages7 packages

▶CVEListV5nodejs/node4.0 — 4.*+12

▶NVDnodejs/node.js12.13.0 — 12.22.5+4

▶Alpinenodejs< 12.22.5-r0+12

▶NVDsiemens/sinec_infrastructure_network_services< 1.0.1.1

▶NVDoracle/mysql_cluster8.0.26

Patches

Patch: cert-portal.siemens.com ↗Patch: nodejs.org ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

GHSA

GHSA-7r9p-c88x-w357: Node↗2022-05-24

▶

GHSA

Path Traversal in Apache James Server↗2022-02-08

▶

OSV

CVE-2021-22931: Node↗2021-08-16

▶

CVEList

CVE-2021-22931: Node↗2021-08-16

▶

📋Vendor Advisories

Oracle

Oracle Oracle JD Edwards Risk Matrix: E1 Dev Platform Tech - Cloud (Node.js) — CVE-2021-22931↗2022-07-15

▶

Oracle

Oracle Oracle PeopleSoft Risk Matrix: Elastic Search (Node.js) — CVE-2021-22931↗2022-01-15

▶

Oracle

Oracle Oracle MySQL Risk Matrix: Cluster: General (Node.js) — CVE-2021-22931↗2021-10-15

▶

Red Hat

nodejs: Improper handling of untypical characters in domain names↗2021-08-11

▶

Microsoft

Node.js before 16.6.0 14.17.4 and 12.22.4 is vulnerable to Remote Code Execution XSS Application crashes due to missing input validation of host names returned by Domain Name Servers in Node.js dns li↗2021-08-10

▶