CVE-2021-22918

CVSS v3.1 5.3 (Medium)

CVSS v2.0 5 (Medium)

EPSS 0.12 % (47^th)

Affected Products 2

Advisories 34

Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. This can lead to information disclosures or crashes. This function can be triggered via uv_getaddrinfo().

Weaknesses

CWE-125: Out-of-bounds Read

CVE Status: PUBLISHED
CNA: HackerOne
Published Date: 2021-07-12 11:15:07
(3 years ago)
Updated Date: 2024-01-16 13:15:07
(8 months ago)

Affected Products

Nodejs

Node.js

Siemens

Sinec Infrastructure Network Services

Configuration #1

	CPE23	From	Up To
Nodejs Node.js from 12.0.0 version and prior 12.22.2 version	cpe:2.3:a:nodejs:node.js::::*:-	>= 12.0.0	< 12.22.2
Nodejs Node.js from 14.0.0 version and prior 14.17.2 version	cpe:2.3:a:nodejs:node.js::::*:-	>= 14.0.0	< 14.17.2
Nodejs Node.js from 16.0.0 version and prior 16.4.1 version	cpe:2.3:a:nodejs:node.js::::*:-	>= 16.0.0	< 16.4.1

Configuration #2

		CPE23	From	Up To
	Siemens Sinec Infrastructure Network Services prior 1.0.1.1 version	cpe:2.3:a:siemens:sinec_infrastructure_network_services		< 1.0.1.1