csaf_opensuse - opensuse-su-2024:11097-1

Vulnerability from csaf_opensuse

Published

2024-06-15 00:00

Modified

2024-06-15 00:00

Summary

nodejs16-16.6.2-2.2 on GA media

Notes

Title of the patch

nodejs16-16.6.2-2.2 on GA media

Description of the patch

These are all security issues fixed in the nodejs16-16.6.2-2.2 package on the GA media of openSUSE Tumbleweed.

Patchnames

openSUSE-Tumbleweed-2024-11097

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
   document: {
      aggregate_severity: {
         namespace: "https://www.suse.com/support/security/rating/",
         text: "moderate",
      },
      category: "csaf_security_advisory",
      csaf_version: "2.0",
      distribution: {
         text: "Copyright 2024 SUSE LLC. All rights reserved.",
         tlp: {
            label: "WHITE",
            url: "https://www.first.org/tlp/",
         },
      },
      lang: "en",
      notes: [
         {
            category: "summary",
            text: "nodejs16-16.6.2-2.2 on GA media",
            title: "Title of the patch",
         },
         {
            category: "description",
            text: "These are all security issues fixed in the nodejs16-16.6.2-2.2 package on the GA media of openSUSE Tumbleweed.",
            title: "Description of the patch",
         },
         {
            category: "details",
            text: "openSUSE-Tumbleweed-2024-11097",
            title: "Patchnames",
         },
         {
            category: "legal_disclaimer",
            text: "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
            title: "Terms of use",
         },
      ],
      publisher: {
         category: "vendor",
         contact_details: "https://www.suse.com/support/security/contact/",
         name: "SUSE Product Security Team",
         namespace: "https://www.suse.com/",
      },
      references: [
         {
            category: "external",
            summary: "SUSE ratings",
            url: "https://www.suse.com/support/security/rating/",
         },
         {
            category: "self",
            summary: "URL of this CSAF notice",
            url: "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_11097-1.json",
         },
         {
            category: "self",
            summary: "SUSE CVE CVE-2021-22918 page",
            url: "https://www.suse.com/security/cve/CVE-2021-22918/",
         },
         {
            category: "self",
            summary: "SUSE CVE CVE-2021-22930 page",
            url: "https://www.suse.com/security/cve/CVE-2021-22930/",
         },
         {
            category: "self",
            summary: "SUSE CVE CVE-2021-22939 page",
            url: "https://www.suse.com/security/cve/CVE-2021-22939/",
         },
         {
            category: "self",
            summary: "SUSE CVE CVE-2021-22940 page",
            url: "https://www.suse.com/security/cve/CVE-2021-22940/",
         },
         {
            category: "self",
            summary: "SUSE CVE CVE-2021-3672 page",
            url: "https://www.suse.com/security/cve/CVE-2021-3672/",
         },
      ],
      title: "nodejs16-16.6.2-2.2 on GA media",
      tracking: {
         current_release_date: "2024-06-15T00:00:00Z",
         generator: {
            date: "2024-06-15T00:00:00Z",
            engine: {
               name: "cve-database.git:bin/generate-csaf.pl",
               version: "1",
            },
         },
         id: "openSUSE-SU-2024:11097-1",
         initial_release_date: "2024-06-15T00:00:00Z",
         revision_history: [
            {
               date: "2024-06-15T00:00:00Z",
               number: "1",
               summary: "Current version",
            },
         ],
         status: "final",
         version: "1",
      },
   },
   product_tree: {
      branches: [
         {
            branches: [
               {
                  branches: [
                     {
                        category: "product_version",
                        name: "nodejs16-16.6.2-2.2.aarch64",
                        product: {
                           name: "nodejs16-16.6.2-2.2.aarch64",
                           product_id: "nodejs16-16.6.2-2.2.aarch64",
                        },
                     },
                     {
                        category: "product_version",
                        name: "nodejs16-devel-16.6.2-2.2.aarch64",
                        product: {
                           name: "nodejs16-devel-16.6.2-2.2.aarch64",
                           product_id: "nodejs16-devel-16.6.2-2.2.aarch64",
                        },
                     },
                     {
                        category: "product_version",
                        name: "nodejs16-docs-16.6.2-2.2.aarch64",
                        product: {
                           name: "nodejs16-docs-16.6.2-2.2.aarch64",
                           product_id: "nodejs16-docs-16.6.2-2.2.aarch64",
                        },
                     },
                     {
                        category: "product_version",
                        name: "npm16-16.6.2-2.2.aarch64",
                        product: {
                           name: "npm16-16.6.2-2.2.aarch64",
                           product_id: "npm16-16.6.2-2.2.aarch64",
                        },
                     },
                  ],
                  category: "architecture",
                  name: "aarch64",
               },
               {
                  branches: [
                     {
                        category: "product_version",
                        name: "nodejs16-16.6.2-2.2.ppc64le",
                        product: {
                           name: "nodejs16-16.6.2-2.2.ppc64le",
                           product_id: "nodejs16-16.6.2-2.2.ppc64le",
                        },
                     },
                     {
                        category: "product_version",
                        name: "nodejs16-devel-16.6.2-2.2.ppc64le",
                        product: {
                           name: "nodejs16-devel-16.6.2-2.2.ppc64le",
                           product_id: "nodejs16-devel-16.6.2-2.2.ppc64le",
                        },
                     },
                     {
                        category: "product_version",
                        name: "nodejs16-docs-16.6.2-2.2.ppc64le",
                        product: {
                           name: "nodejs16-docs-16.6.2-2.2.ppc64le",
                           product_id: "nodejs16-docs-16.6.2-2.2.ppc64le",
                        },
                     },
                     {
                        category: "product_version",
                        name: "npm16-16.6.2-2.2.ppc64le",
                        product: {
                           name: "npm16-16.6.2-2.2.ppc64le",
                           product_id: "npm16-16.6.2-2.2.ppc64le",
                        },
                     },
                  ],
                  category: "architecture",
                  name: "ppc64le",
               },
               {
                  branches: [
                     {
                        category: "product_version",
                        name: "nodejs16-16.6.2-2.2.s390x",
                        product: {
                           name: "nodejs16-16.6.2-2.2.s390x",
                           product_id: "nodejs16-16.6.2-2.2.s390x",
                        },
                     },
                     {
                        category: "product_version",
                        name: "nodejs16-devel-16.6.2-2.2.s390x",
                        product: {
                           name: "nodejs16-devel-16.6.2-2.2.s390x",
                           product_id: "nodejs16-devel-16.6.2-2.2.s390x",
                        },
                     },
                     {
                        category: "product_version",
                        name: "nodejs16-docs-16.6.2-2.2.s390x",
                        product: {
                           name: "nodejs16-docs-16.6.2-2.2.s390x",
                           product_id: "nodejs16-docs-16.6.2-2.2.s390x",
                        },
                     },
                     {
                        category: "product_version",
                        name: "npm16-16.6.2-2.2.s390x",
                        product: {
                           name: "npm16-16.6.2-2.2.s390x",
                           product_id: "npm16-16.6.2-2.2.s390x",
                        },
                     },
                  ],
                  category: "architecture",
                  name: "s390x",
               },
               {
                  branches: [
                     {
                        category: "product_version",
                        name: "nodejs16-16.6.2-2.2.x86_64",
                        product: {
                           name: "nodejs16-16.6.2-2.2.x86_64",
                           product_id: "nodejs16-16.6.2-2.2.x86_64",
                        },
                     },
                     {
                        category: "product_version",
                        name: "nodejs16-devel-16.6.2-2.2.x86_64",
                        product: {
                           name: "nodejs16-devel-16.6.2-2.2.x86_64",
                           product_id: "nodejs16-devel-16.6.2-2.2.x86_64",
                        },
                     },
                     {
                        category: "product_version",
                        name: "nodejs16-docs-16.6.2-2.2.x86_64",
                        product: {
                           name: "nodejs16-docs-16.6.2-2.2.x86_64",
                           product_id: "nodejs16-docs-16.6.2-2.2.x86_64",
                        },
                     },
                     {
                        category: "product_version",
                        name: "npm16-16.6.2-2.2.x86_64",
                        product: {
                           name: "npm16-16.6.2-2.2.x86_64",
                           product_id: "npm16-16.6.2-2.2.x86_64",
                        },
                     },
                  ],
                  category: "architecture",
                  name: "x86_64",
               },
               {
                  branches: [
                     {
                        category: "product_name",
                        name: "openSUSE Tumbleweed",
                        product: {
                           name: "openSUSE Tumbleweed",
                           product_id: "openSUSE Tumbleweed",
                           product_identification_helper: {
                              cpe: "cpe:/o:opensuse:tumbleweed",
                           },
                        },
                     },
                  ],
                  category: "product_family",
                  name: "SUSE Linux Enterprise",
               },
            ],
            category: "vendor",
            name: "SUSE",
         },
      ],
      relationships: [
         {
            category: "default_component_of",
            full_product_name: {
               name: "nodejs16-16.6.2-2.2.aarch64 as component of openSUSE Tumbleweed",
               product_id: "openSUSE Tumbleweed:nodejs16-16.6.2-2.2.aarch64",
            },
            product_reference: "nodejs16-16.6.2-2.2.aarch64",
            relates_to_product_reference: "openSUSE Tumbleweed",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "nodejs16-16.6.2-2.2.ppc64le as component of openSUSE Tumbleweed",
               product_id: "openSUSE Tumbleweed:nodejs16-16.6.2-2.2.ppc64le",
            },
            product_reference: "nodejs16-16.6.2-2.2.ppc64le",
            relates_to_product_reference: "openSUSE Tumbleweed",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "nodejs16-16.6.2-2.2.s390x as component of openSUSE Tumbleweed",
               product_id: "openSUSE Tumbleweed:nodejs16-16.6.2-2.2.s390x",
            },
            product_reference: "nodejs16-16.6.2-2.2.s390x",
            relates_to_product_reference: "openSUSE Tumbleweed",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "nodejs16-16.6.2-2.2.x86_64 as component of openSUSE Tumbleweed",
               product_id: "openSUSE Tumbleweed:nodejs16-16.6.2-2.2.x86_64",
            },
            product_reference: "nodejs16-16.6.2-2.2.x86_64",
            relates_to_product_reference: "openSUSE Tumbleweed",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "nodejs16-devel-16.6.2-2.2.aarch64 as component of openSUSE Tumbleweed",
               product_id: "openSUSE Tumbleweed:nodejs16-devel-16.6.2-2.2.aarch64",
            },
            product_reference: "nodejs16-devel-16.6.2-2.2.aarch64",
            relates_to_product_reference: "openSUSE Tumbleweed",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "nodejs16-devel-16.6.2-2.2.ppc64le as component of openSUSE Tumbleweed",
               product_id: "openSUSE Tumbleweed:nodejs16-devel-16.6.2-2.2.ppc64le",
            },
            product_reference: "nodejs16-devel-16.6.2-2.2.ppc64le",
            relates_to_product_reference: "openSUSE Tumbleweed",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "nodejs16-devel-16.6.2-2.2.s390x as component of openSUSE Tumbleweed",
               product_id: "openSUSE Tumbleweed:nodejs16-devel-16.6.2-2.2.s390x",
            },
            product_reference: "nodejs16-devel-16.6.2-2.2.s390x",
            relates_to_product_reference: "openSUSE Tumbleweed",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "nodejs16-devel-16.6.2-2.2.x86_64 as component of openSUSE Tumbleweed",
               product_id: "openSUSE Tumbleweed:nodejs16-devel-16.6.2-2.2.x86_64",
            },
            product_reference: "nodejs16-devel-16.6.2-2.2.x86_64",
            relates_to_product_reference: "openSUSE Tumbleweed",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "nodejs16-docs-16.6.2-2.2.aarch64 as component of openSUSE Tumbleweed",
               product_id: "openSUSE Tumbleweed:nodejs16-docs-16.6.2-2.2.aarch64",
            },
            product_reference: "nodejs16-docs-16.6.2-2.2.aarch64",
            relates_to_product_reference: "openSUSE Tumbleweed",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "nodejs16-docs-16.6.2-2.2.ppc64le as component of openSUSE Tumbleweed",
               product_id: "openSUSE Tumbleweed:nodejs16-docs-16.6.2-2.2.ppc64le",
            },
            product_reference: "nodejs16-docs-16.6.2-2.2.ppc64le",
            relates_to_product_reference: "openSUSE Tumbleweed",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "nodejs16-docs-16.6.2-2.2.s390x as component of openSUSE Tumbleweed",
               product_id: "openSUSE Tumbleweed:nodejs16-docs-16.6.2-2.2.s390x",
            },
            product_reference: "nodejs16-docs-16.6.2-2.2.s390x",
            relates_to_product_reference: "openSUSE Tumbleweed",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "nodejs16-docs-16.6.2-2.2.x86_64 as component of openSUSE Tumbleweed",
               product_id: "openSUSE Tumbleweed:nodejs16-docs-16.6.2-2.2.x86_64",
            },
            product_reference: "nodejs16-docs-16.6.2-2.2.x86_64",
            relates_to_product_reference: "openSUSE Tumbleweed",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "npm16-16.6.2-2.2.aarch64 as component of openSUSE Tumbleweed",
               product_id: "openSUSE Tumbleweed:npm16-16.6.2-2.2.aarch64",
            },
            product_reference: "npm16-16.6.2-2.2.aarch64",
            relates_to_product_reference: "openSUSE Tumbleweed",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "npm16-16.6.2-2.2.ppc64le as component of openSUSE Tumbleweed",
               product_id: "openSUSE Tumbleweed:npm16-16.6.2-2.2.ppc64le",
            },
            product_reference: "npm16-16.6.2-2.2.ppc64le",
            relates_to_product_reference: "openSUSE Tumbleweed",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "npm16-16.6.2-2.2.s390x as component of openSUSE Tumbleweed",
               product_id: "openSUSE Tumbleweed:npm16-16.6.2-2.2.s390x",
            },
            product_reference: "npm16-16.6.2-2.2.s390x",
            relates_to_product_reference: "openSUSE Tumbleweed",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "npm16-16.6.2-2.2.x86_64 as component of openSUSE Tumbleweed",
               product_id: "openSUSE Tumbleweed:npm16-16.6.2-2.2.x86_64",
            },
            product_reference: "npm16-16.6.2-2.2.x86_64",
            relates_to_product_reference: "openSUSE Tumbleweed",
         },
      ],
   },
   vulnerabilities: [
      {
         cve: "CVE-2021-22918",
         ids: [
            {
               system_name: "SUSE CVE Page",
               text: "https://www.suse.com/security/cve/CVE-2021-22918",
            },
         ],
         notes: [
            {
               category: "general",
               text: "Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. This can lead to information disclosures or crashes. This function can be triggered via uv_getaddrinfo().",
               title: "CVE description",
            },
         ],
         product_status: {
            recommended: [
               "openSUSE Tumbleweed:nodejs16-16.6.2-2.2.aarch64",
               "openSUSE Tumbleweed:nodejs16-16.6.2-2.2.ppc64le",
               "openSUSE Tumbleweed:nodejs16-16.6.2-2.2.s390x",
               "openSUSE Tumbleweed:nodejs16-16.6.2-2.2.x86_64",
               "openSUSE Tumbleweed:nodejs16-devel-16.6.2-2.2.aarch64",
               "openSUSE Tumbleweed:nodejs16-devel-16.6.2-2.2.ppc64le",
               "openSUSE Tumbleweed:nodejs16-devel-16.6.2-2.2.s390x",
               "openSUSE Tumbleweed:nodejs16-devel-16.6.2-2.2.x86_64",
               "openSUSE Tumbleweed:nodejs16-docs-16.6.2-2.2.aarch64",
               "openSUSE Tumbleweed:nodejs16-docs-16.6.2-2.2.ppc64le",
               "openSUSE Tumbleweed:nodejs16-docs-16.6.2-2.2.s390x",
               "openSUSE Tumbleweed:nodejs16-docs-16.6.2-2.2.x86_64",
               "openSUSE Tumbleweed:npm16-16.6.2-2.2.aarch64",
               "openSUSE Tumbleweed:npm16-16.6.2-2.2.ppc64le",
               "openSUSE Tumbleweed:npm16-16.6.2-2.2.s390x",
               "openSUSE Tumbleweed:npm16-16.6.2-2.2.x86_64",
            ],
         },
         references: [
            {
               category: "external",
               summary: "CVE-2021-22918",
               url: "https://www.suse.com/security/cve/CVE-2021-22918",
            },
            {
               category: "external",
               summary: "SUSE Bug 1187973 for CVE-2021-22918",
               url: "https://bugzilla.suse.com/1187973",
            },
         ],
         remediations: [
            {
               category: "vendor_fix",
               details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
               product_ids: [
                  "openSUSE Tumbleweed:nodejs16-16.6.2-2.2.aarch64",
                  "openSUSE Tumbleweed:nodejs16-16.6.2-2.2.ppc64le",
                  "openSUSE Tumbleweed:nodejs16-16.6.2-2.2.s390x",
                  "openSUSE Tumbleweed:nodejs16-16.6.2-2.2.x86_64",
                  "openSUSE Tumbleweed:nodejs16-devel-16.6.2-2.2.aarch64",
                  "openSUSE Tumbleweed:nodejs16-devel-16.6.2-2.2.ppc64le",
                  "openSUSE Tumbleweed:nodejs16-devel-16.6.2-2.2.s390x",
                  "openSUSE Tumbleweed:nodejs16-devel-16.6.2-2.2.x86_64",
                  "openSUSE Tumbleweed:nodejs16-docs-16.6.2-2.2.aarch64",
                  "openSUSE Tumbleweed:nodejs16-docs-16.6.2-2.2.ppc64le",
                  "openSUSE Tumbleweed:nodejs16-docs-16.6.2-2.2.s390x",
                  "openSUSE Tumbleweed:nodejs16-docs-16.6.2-2.2.x86_64",
                  "openSUSE Tumbleweed:npm16-16.6.2-2.2.aarch64",
                  "openSUSE Tumbleweed:npm16-16.6.2-2.2.ppc64le",
                  "openSUSE Tumbleweed:npm16-16.6.2-2.2.s390x",
                  "openSUSE Tumbleweed:npm16-16.6.2-2.2.x86_64",
               ],
            },
         ],
         scores: [
            {
               cvss_v3: {
                  baseScore: 5.3,
                  baseSeverity: "MEDIUM",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                  version: "3.1",
               },
               products: [
                  "openSUSE Tumbleweed:nodejs16-16.6.2-2.2.aarch64",
                  "openSUSE Tumbleweed:nodejs16-16.6.2-2.2.ppc64le",
                  "openSUSE Tumbleweed:nodejs16-16.6.2-2.2.s390x",
                  "openSUSE Tumbleweed:nodejs16-16.6.2-2.2.x86_64",
                  "openSUSE Tumbleweed:nodejs16-devel-16.6.2-2.2.aarch64",
                  "openSUSE Tumbleweed:nodejs16-devel-16.6.2-2.2.ppc64le",
                  "openSUSE Tumbleweed:nodejs16-devel-16.6.2-2.2.s390x",
                  "openSUSE Tumbleweed:nodejs16-devel-16.6.2-2.2.x86_64",
                  "openSUSE Tumbleweed:nodejs16-docs-16.6.2-2.2.aarch64",
                  "openSUSE Tumbleweed:nodejs16-docs-16.6.2-2.2.ppc64le",
                  "openSUSE Tumbleweed:nodejs16-docs-16.6.2-2.2.s390x",
                  "openSUSE Tumbleweed:nodejs16-docs-16.6.2-2.2.x86_64",
                  "openSUSE Tumbleweed:npm16-16.6.2-2.2.aarch64",
                  "openSUSE Tumbleweed:npm16-16.6.2-2.2.ppc64le",
                  "openSUSE Tumbleweed:npm16-16.6.2-2.2.s390x",
                  "openSUSE Tumbleweed:npm16-16.6.2-2.2.x86_64",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               date: "2024-06-15T00:00:00Z",
               details: "moderate",
            },
         ],
         title: "CVE-2021-22918",
      },
      {
         cve: "CVE-2021-22930",
         ids: [
            {
               system_name: "SUSE CVE Page",
               text: "https://www.suse.com/security/cve/CVE-2021-22930",
            },
         ],
         notes: [
            {
               category: "general",
               text: "Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.",
               title: "CVE description",
            },
         ],
         product_status: {
            recommended: [
               "openSUSE Tumbleweed:nodejs16-16.6.2-2.2.aarch64",
               "openSUSE Tumbleweed:nodejs16-16.6.2-2.2.ppc64le",
               "openSUSE Tumbleweed:nodejs16-16.6.2-2.2.s390x",
               "openSUSE Tumbleweed:nodejs16-16.6.2-2.2.x86_64",
               "openSUSE Tumbleweed:nodejs16-devel-16.6.2-2.2.aarch64",
               "openSUSE Tumbleweed:nodejs16-devel-16.6.2-2.2.ppc64le",
               "openSUSE Tumbleweed:nodejs16-devel-16.6.2-2.2.s390x",
               "openSUSE Tumbleweed:nodejs16-devel-16.6.2-2.2.x86_64",
               "openSUSE Tumbleweed:nodejs16-docs-16.6.2-2.2.aarch64",
               "openSUSE Tumbleweed:nodejs16-docs-16.6.2-2.2.ppc64le",
               "openSUSE Tumbleweed:nodejs16-docs-16.6.2-2.2.s390x",
               "openSUSE Tumbleweed:nodejs16-docs-16.6.2-2.2.x86_64",
               "openSUSE Tumbleweed:npm16-16.6.2-2.2.aarch64",
               "openSUSE Tumbleweed:npm16-16.6.2-2.2.ppc64le",
               "openSUSE Tumbleweed:npm16-16.6.2-2.2.s390x",
               "openSUSE Tumbleweed:npm16-16.6.2-2.2.x86_64",
            ],
         },
         references: [
            {
               category: "external",
               summary: "CVE-2021-22930",
               url: "https://www.suse.com/security/cve/CVE-2021-22930",
            },
            {
               category: "external",
               summary: "SUSE Bug 1188917 for CVE-2021-22930",
               url: "https://bugzilla.suse.com/1188917",
            },
            {
               category: "external",
               summary: "SUSE Bug 1189368 for CVE-2021-22930",
               url: "https://bugzilla.suse.com/1189368",
            },
         ],
         remediations: [
            {
               category: "vendor_fix",
               details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
               product_ids: [
                  "openSUSE Tumbleweed:nodejs16-16.6.2-2.2.aarch64",
                  "openSUSE Tumbleweed:nodejs16-16.6.2-2.2.ppc64le",
                  "openSUSE Tumbleweed:nodejs16-16.6.2-2.2.s390x",
                  "openSUSE Tumbleweed:nodejs16-16.6.2-2.2.x86_64",
                  "openSUSE Tumbleweed:nodejs16-devel-16.6.2-2.2.aarch64",
                  "openSUSE Tumbleweed:nodejs16-devel-16.6.2-2.2.ppc64le",
                  "openSUSE Tumbleweed:nodejs16-devel-16.6.2-2.2.s390x",
                  "openSUSE Tumbleweed:nodejs16-devel-16.6.2-2.2.x86_64",
                  "openSUSE Tumbleweed:nodejs16-docs-16.6.2-2.2.aarch64",
                  "openSUSE Tumbleweed:nodejs16-docs-16.6.2-2.2.ppc64le",
                  "openSUSE Tumbleweed:nodejs16-docs-16.6.2-2.2.s390x",
                  "openSUSE Tumbleweed:nodejs16-docs-16.6.2-2.2.x86_64",
                  "openSUSE Tumbleweed:npm16-16.6.2-2.2.aarch64",
                  "openSUSE Tumbleweed:npm16-16.6.2-2.2.ppc64le",
                  "openSUSE Tumbleweed:npm16-16.6.2-2.2.s390x",
                  "openSUSE Tumbleweed:npm16-16.6.2-2.2.x86_64",
               ],
            },
         ],
         scores: [
            {
               cvss_v3: {
                  baseScore: 9.1,
                  baseSeverity: "CRITICAL",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
                  version: "3.1",
               },
               products: [
                  "openSUSE Tumbleweed:nodejs16-16.6.2-2.2.aarch64",
                  "openSUSE Tumbleweed:nodejs16-16.6.2-2.2.ppc64le",
                  "openSUSE Tumbleweed:nodejs16-16.6.2-2.2.s390x",
                  "openSUSE Tumbleweed:nodejs16-16.6.2-2.2.x86_64",
                  "openSUSE Tumbleweed:nodejs16-devel-16.6.2-2.2.aarch64",
                  "openSUSE Tumbleweed:nodejs16-devel-16.6.2-2.2.ppc64le",
                  "openSUSE Tumbleweed:nodejs16-devel-16.6.2-2.2.s390x",
                  "openSUSE Tumbleweed:nodejs16-devel-16.6.2-2.2.x86_64",
                  "openSUSE Tumbleweed:nodejs16-docs-16.6.2-2.2.aarch64",
                  "openSUSE Tumbleweed:nodejs16-docs-16.6.2-2.2.ppc64le",
                  "openSUSE Tumbleweed:nodejs16-docs-16.6.2-2.2.s390x",
                  "openSUSE Tumbleweed:nodejs16-docs-16.6.2-2.2.x86_64",
                  "openSUSE Tumbleweed:npm16-16.6.2-2.2.aarch64",
                  "openSUSE Tumbleweed:npm16-16.6.2-2.2.ppc64le",
                  "openSUSE Tumbleweed:npm16-16.6.2-2.2.s390x",
                  "openSUSE Tumbleweed:npm16-16.6.2-2.2.x86_64",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               date: "2024-06-15T00:00:00Z",
               details: "critical",
            },
         ],
         title: "CVE-2021-22930",
      },
      {
         cve: "CVE-2021-22939",
         ids: [
            {
               system_name: "SUSE CVE Page",
               text: "https://www.suse.com/security/cve/CVE-2021-22939",
            },
         ],
         notes: [
            {
               category: "general",
               text: "If the Node.js https API was used incorrectly and \"undefined\" was in passed for the \"rejectUnauthorized\" parameter, no error was returned and connections to servers with an expired certificate would have been accepted.",
               title: "CVE description",
            },
         ],
         product_status: {
            recommended: [
               "openSUSE Tumbleweed:nodejs16-16.6.2-2.2.aarch64",
               "openSUSE Tumbleweed:nodejs16-16.6.2-2.2.ppc64le",
               "openSUSE Tumbleweed:nodejs16-16.6.2-2.2.s390x",
               "openSUSE Tumbleweed:nodejs16-16.6.2-2.2.x86_64",
               "openSUSE Tumbleweed:nodejs16-devel-16.6.2-2.2.aarch64",
               "openSUSE Tumbleweed:nodejs16-devel-16.6.2-2.2.ppc64le",
               "openSUSE Tumbleweed:nodejs16-devel-16.6.2-2.2.s390x",
               "openSUSE Tumbleweed:nodejs16-devel-16.6.2-2.2.x86_64",
               "openSUSE Tumbleweed:nodejs16-docs-16.6.2-2.2.aarch64",
               "openSUSE Tumbleweed:nodejs16-docs-16.6.2-2.2.ppc64le",
               "openSUSE Tumbleweed:nodejs16-docs-16.6.2-2.2.s390x",
               "openSUSE Tumbleweed:nodejs16-docs-16.6.2-2.2.x86_64",
               "openSUSE Tumbleweed:npm16-16.6.2-2.2.aarch64",
               "openSUSE Tumbleweed:npm16-16.6.2-2.2.ppc64le",
               "openSUSE Tumbleweed:npm16-16.6.2-2.2.s390x",
               "openSUSE Tumbleweed:npm16-16.6.2-2.2.x86_64",
            ],
         },
         references: [
            {
               category: "external",
               summary: "CVE-2021-22939",
               url: "https://www.suse.com/security/cve/CVE-2021-22939",
            },
            {
               category: "external",
               summary: "SUSE Bug 1189369 for CVE-2021-22939",
               url: "https://bugzilla.suse.com/1189369",
            },
         ],
         remediations: [
            {
               category: "vendor_fix",
               details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
               product_ids: [
                  "openSUSE Tumbleweed:nodejs16-16.6.2-2.2.aarch64",
                  "openSUSE Tumbleweed:nodejs16-16.6.2-2.2.ppc64le",
                  "openSUSE Tumbleweed:nodejs16-16.6.2-2.2.s390x",
                  "openSUSE Tumbleweed:nodejs16-16.6.2-2.2.x86_64",
                  "openSUSE Tumbleweed:nodejs16-devel-16.6.2-2.2.aarch64",
                  "openSUSE Tumbleweed:nodejs16-devel-16.6.2-2.2.ppc64le",
                  "openSUSE Tumbleweed:nodejs16-devel-16.6.2-2.2.s390x",
                  "openSUSE Tumbleweed:nodejs16-devel-16.6.2-2.2.x86_64",
                  "openSUSE Tumbleweed:nodejs16-docs-16.6.2-2.2.aarch64",
                  "openSUSE Tumbleweed:nodejs16-docs-16.6.2-2.2.ppc64le",
                  "openSUSE Tumbleweed:nodejs16-docs-16.6.2-2.2.s390x",
                  "openSUSE Tumbleweed:nodejs16-docs-16.6.2-2.2.x86_64",
                  "openSUSE Tumbleweed:npm16-16.6.2-2.2.aarch64",
                  "openSUSE Tumbleweed:npm16-16.6.2-2.2.ppc64le",
                  "openSUSE Tumbleweed:npm16-16.6.2-2.2.s390x",
                  "openSUSE Tumbleweed:npm16-16.6.2-2.2.x86_64",
               ],
            },
         ],
         scores: [
            {
               cvss_v3: {
                  baseScore: 4.3,
                  baseSeverity: "MEDIUM",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                  version: "3.1",
               },
               products: [
                  "openSUSE Tumbleweed:nodejs16-16.6.2-2.2.aarch64",
                  "openSUSE Tumbleweed:nodejs16-16.6.2-2.2.ppc64le",
                  "openSUSE Tumbleweed:nodejs16-16.6.2-2.2.s390x",
                  "openSUSE Tumbleweed:nodejs16-16.6.2-2.2.x86_64",
                  "openSUSE Tumbleweed:nodejs16-devel-16.6.2-2.2.aarch64",
                  "openSUSE Tumbleweed:nodejs16-devel-16.6.2-2.2.ppc64le",
                  "openSUSE Tumbleweed:nodejs16-devel-16.6.2-2.2.s390x",
                  "openSUSE Tumbleweed:nodejs16-devel-16.6.2-2.2.x86_64",
                  "openSUSE Tumbleweed:nodejs16-docs-16.6.2-2.2.aarch64",
                  "openSUSE Tumbleweed:nodejs16-docs-16.6.2-2.2.ppc64le",
                  "openSUSE Tumbleweed:nodejs16-docs-16.6.2-2.2.s390x",
                  "openSUSE Tumbleweed:nodejs16-docs-16.6.2-2.2.x86_64",
                  "openSUSE Tumbleweed:npm16-16.6.2-2.2.aarch64",
                  "openSUSE Tumbleweed:npm16-16.6.2-2.2.ppc64le",
                  "openSUSE Tumbleweed:npm16-16.6.2-2.2.s390x",
                  "openSUSE Tumbleweed:npm16-16.6.2-2.2.x86_64",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               date: "2024-06-15T00:00:00Z",
               details: "moderate",
            },
         ],
         title: "CVE-2021-22939",
      },
      {
         cve: "CVE-2021-22940",
         ids: [
            {
               system_name: "SUSE CVE Page",
               text: "https://www.suse.com/security/cve/CVE-2021-22940",
            },
         ],
         notes: [
            {
               category: "general",
               text: "Node.js before 16.6.1, 14.17.5, and 12.22.5 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.",
               title: "CVE description",
            },
         ],
         product_status: {
            recommended: [
               "openSUSE Tumbleweed:nodejs16-16.6.2-2.2.aarch64",
               "openSUSE Tumbleweed:nodejs16-16.6.2-2.2.ppc64le",
               "openSUSE Tumbleweed:nodejs16-16.6.2-2.2.s390x",
               "openSUSE Tumbleweed:nodejs16-16.6.2-2.2.x86_64",
               "openSUSE Tumbleweed:nodejs16-devel-16.6.2-2.2.aarch64",
               "openSUSE Tumbleweed:nodejs16-devel-16.6.2-2.2.ppc64le",
               "openSUSE Tumbleweed:nodejs16-devel-16.6.2-2.2.s390x",
               "openSUSE Tumbleweed:nodejs16-devel-16.6.2-2.2.x86_64",
               "openSUSE Tumbleweed:nodejs16-docs-16.6.2-2.2.aarch64",
               "openSUSE Tumbleweed:nodejs16-docs-16.6.2-2.2.ppc64le",
               "openSUSE Tumbleweed:nodejs16-docs-16.6.2-2.2.s390x",
               "openSUSE Tumbleweed:nodejs16-docs-16.6.2-2.2.x86_64",
               "openSUSE Tumbleweed:npm16-16.6.2-2.2.aarch64",
               "openSUSE Tumbleweed:npm16-16.6.2-2.2.ppc64le",
               "openSUSE Tumbleweed:npm16-16.6.2-2.2.s390x",
               "openSUSE Tumbleweed:npm16-16.6.2-2.2.x86_64",
            ],
         },
         references: [
            {
               category: "external",
               summary: "CVE-2021-22940",
               url: "https://www.suse.com/security/cve/CVE-2021-22940",
            },
            {
               category: "external",
               summary: "SUSE Bug 1189368 for CVE-2021-22940",
               url: "https://bugzilla.suse.com/1189368",
            },
         ],
         remediations: [
            {
               category: "vendor_fix",
               details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
               product_ids: [
                  "openSUSE Tumbleweed:nodejs16-16.6.2-2.2.aarch64",
                  "openSUSE Tumbleweed:nodejs16-16.6.2-2.2.ppc64le",
                  "openSUSE Tumbleweed:nodejs16-16.6.2-2.2.s390x",
                  "openSUSE Tumbleweed:nodejs16-16.6.2-2.2.x86_64",
                  "openSUSE Tumbleweed:nodejs16-devel-16.6.2-2.2.aarch64",
                  "openSUSE Tumbleweed:nodejs16-devel-16.6.2-2.2.ppc64le",
                  "openSUSE Tumbleweed:nodejs16-devel-16.6.2-2.2.s390x",
                  "openSUSE Tumbleweed:nodejs16-devel-16.6.2-2.2.x86_64",
                  "openSUSE Tumbleweed:nodejs16-docs-16.6.2-2.2.aarch64",
                  "openSUSE Tumbleweed:nodejs16-docs-16.6.2-2.2.ppc64le",
                  "openSUSE Tumbleweed:nodejs16-docs-16.6.2-2.2.s390x",
                  "openSUSE Tumbleweed:nodejs16-docs-16.6.2-2.2.x86_64",
                  "openSUSE Tumbleweed:npm16-16.6.2-2.2.aarch64",
                  "openSUSE Tumbleweed:npm16-16.6.2-2.2.ppc64le",
                  "openSUSE Tumbleweed:npm16-16.6.2-2.2.s390x",
                  "openSUSE Tumbleweed:npm16-16.6.2-2.2.x86_64",
               ],
            },
         ],
         scores: [
            {
               cvss_v3: {
                  baseScore: 9.8,
                  baseSeverity: "CRITICAL",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  version: "3.1",
               },
               products: [
                  "openSUSE Tumbleweed:nodejs16-16.6.2-2.2.aarch64",
                  "openSUSE Tumbleweed:nodejs16-16.6.2-2.2.ppc64le",
                  "openSUSE Tumbleweed:nodejs16-16.6.2-2.2.s390x",
                  "openSUSE Tumbleweed:nodejs16-16.6.2-2.2.x86_64",
                  "openSUSE Tumbleweed:nodejs16-devel-16.6.2-2.2.aarch64",
                  "openSUSE Tumbleweed:nodejs16-devel-16.6.2-2.2.ppc64le",
                  "openSUSE Tumbleweed:nodejs16-devel-16.6.2-2.2.s390x",
                  "openSUSE Tumbleweed:nodejs16-devel-16.6.2-2.2.x86_64",
                  "openSUSE Tumbleweed:nodejs16-docs-16.6.2-2.2.aarch64",
                  "openSUSE Tumbleweed:nodejs16-docs-16.6.2-2.2.ppc64le",
                  "openSUSE Tumbleweed:nodejs16-docs-16.6.2-2.2.s390x",
                  "openSUSE Tumbleweed:nodejs16-docs-16.6.2-2.2.x86_64",
                  "openSUSE Tumbleweed:npm16-16.6.2-2.2.aarch64",
                  "openSUSE Tumbleweed:npm16-16.6.2-2.2.ppc64le",
                  "openSUSE Tumbleweed:npm16-16.6.2-2.2.s390x",
                  "openSUSE Tumbleweed:npm16-16.6.2-2.2.x86_64",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               date: "2024-06-15T00:00:00Z",
               details: "critical",
            },
         ],
         title: "CVE-2021-22940",
      },
      {
         cve: "CVE-2021-3672",
         ids: [
            {
               system_name: "SUSE CVE Page",
               text: "https://www.suse.com/security/cve/CVE-2021-3672",
            },
         ],
         notes: [
            {
               category: "general",
               text: "A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to Domain Hijacking. The highest threat from this vulnerability is to confidentiality and integrity as well as system availability.",
               title: "CVE description",
            },
         ],
         product_status: {
            recommended: [
               "openSUSE Tumbleweed:nodejs16-16.6.2-2.2.aarch64",
               "openSUSE Tumbleweed:nodejs16-16.6.2-2.2.ppc64le",
               "openSUSE Tumbleweed:nodejs16-16.6.2-2.2.s390x",
               "openSUSE Tumbleweed:nodejs16-16.6.2-2.2.x86_64",
               "openSUSE Tumbleweed:nodejs16-devel-16.6.2-2.2.aarch64",
               "openSUSE Tumbleweed:nodejs16-devel-16.6.2-2.2.ppc64le",
               "openSUSE Tumbleweed:nodejs16-devel-16.6.2-2.2.s390x",
               "openSUSE Tumbleweed:nodejs16-devel-16.6.2-2.2.x86_64",
               "openSUSE Tumbleweed:nodejs16-docs-16.6.2-2.2.aarch64",
               "openSUSE Tumbleweed:nodejs16-docs-16.6.2-2.2.ppc64le",
               "openSUSE Tumbleweed:nodejs16-docs-16.6.2-2.2.s390x",
               "openSUSE Tumbleweed:nodejs16-docs-16.6.2-2.2.x86_64",
               "openSUSE Tumbleweed:npm16-16.6.2-2.2.aarch64",
               "openSUSE Tumbleweed:npm16-16.6.2-2.2.ppc64le",
               "openSUSE Tumbleweed:npm16-16.6.2-2.2.s390x",
               "openSUSE Tumbleweed:npm16-16.6.2-2.2.x86_64",
            ],
         },
         references: [
            {
               category: "external",
               summary: "CVE-2021-3672",
               url: "https://www.suse.com/security/cve/CVE-2021-3672",
            },
            {
               category: "external",
               summary: "SUSE Bug 1188881 for CVE-2021-3672",
               url: "https://bugzilla.suse.com/1188881",
            },
            {
               category: "external",
               summary: "SUSE Bug 1193099 for CVE-2021-3672",
               url: "https://bugzilla.suse.com/1193099",
            },
         ],
         remediations: [
            {
               category: "vendor_fix",
               details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
               product_ids: [
                  "openSUSE Tumbleweed:nodejs16-16.6.2-2.2.aarch64",
                  "openSUSE Tumbleweed:nodejs16-16.6.2-2.2.ppc64le",
                  "openSUSE Tumbleweed:nodejs16-16.6.2-2.2.s390x",
                  "openSUSE Tumbleweed:nodejs16-16.6.2-2.2.x86_64",
                  "openSUSE Tumbleweed:nodejs16-devel-16.6.2-2.2.aarch64",
                  "openSUSE Tumbleweed:nodejs16-devel-16.6.2-2.2.ppc64le",
                  "openSUSE Tumbleweed:nodejs16-devel-16.6.2-2.2.s390x",
                  "openSUSE Tumbleweed:nodejs16-devel-16.6.2-2.2.x86_64",
                  "openSUSE Tumbleweed:nodejs16-docs-16.6.2-2.2.aarch64",
                  "openSUSE Tumbleweed:nodejs16-docs-16.6.2-2.2.ppc64le",
                  "openSUSE Tumbleweed:nodejs16-docs-16.6.2-2.2.s390x",
                  "openSUSE Tumbleweed:nodejs16-docs-16.6.2-2.2.x86_64",
                  "openSUSE Tumbleweed:npm16-16.6.2-2.2.aarch64",
                  "openSUSE Tumbleweed:npm16-16.6.2-2.2.ppc64le",
                  "openSUSE Tumbleweed:npm16-16.6.2-2.2.s390x",
                  "openSUSE Tumbleweed:npm16-16.6.2-2.2.x86_64",
               ],
            },
         ],
         scores: [
            {
               cvss_v3: {
                  baseScore: 8.1,
                  baseSeverity: "HIGH",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
                  version: "3.1",
               },
               products: [
                  "openSUSE Tumbleweed:nodejs16-16.6.2-2.2.aarch64",
                  "openSUSE Tumbleweed:nodejs16-16.6.2-2.2.ppc64le",
                  "openSUSE Tumbleweed:nodejs16-16.6.2-2.2.s390x",
                  "openSUSE Tumbleweed:nodejs16-16.6.2-2.2.x86_64",
                  "openSUSE Tumbleweed:nodejs16-devel-16.6.2-2.2.aarch64",
                  "openSUSE Tumbleweed:nodejs16-devel-16.6.2-2.2.ppc64le",
                  "openSUSE Tumbleweed:nodejs16-devel-16.6.2-2.2.s390x",
                  "openSUSE Tumbleweed:nodejs16-devel-16.6.2-2.2.x86_64",
                  "openSUSE Tumbleweed:nodejs16-docs-16.6.2-2.2.aarch64",
                  "openSUSE Tumbleweed:nodejs16-docs-16.6.2-2.2.ppc64le",
                  "openSUSE Tumbleweed:nodejs16-docs-16.6.2-2.2.s390x",
                  "openSUSE Tumbleweed:nodejs16-docs-16.6.2-2.2.x86_64",
                  "openSUSE Tumbleweed:npm16-16.6.2-2.2.aarch64",
                  "openSUSE Tumbleweed:npm16-16.6.2-2.2.ppc64le",
                  "openSUSE Tumbleweed:npm16-16.6.2-2.2.s390x",
                  "openSUSE Tumbleweed:npm16-16.6.2-2.2.x86_64",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               date: "2024-06-15T00:00:00Z",
               details: "important",
            },
         ],
         title: "CVE-2021-3672",
      },
   ],
}

cve-2021-22939

Vulnerability from cvelistv5

Published

2021-08-16 00:00

Modified

2024-08-03 18:58

Severity ?

Summary

If the Node.js https API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would have been accepted.

References

▼	URL	Tags
	https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/
	https://hackerone.com/reports/1278254
	https://www.oracle.com/security-alerts/cpuoct2021.html
	https://security.netapp.com/advisory/ntap-20210917-0003/
	https://www.oracle.com/security-alerts/cpujan2022.html
	https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
	https://www.oracle.com/security-alerts/cpujul2022.html
	https://lists.debian.org/debian-lts-announce/2022/10/msg00006.html	mailing-list
	https://security.gentoo.org/glsa/202401-02	vendor-advisory

Impacted products

	Vendor	Product	Version
	n/a	https://github.com/nodejs/node	Version: Fixed version 16.6.2, 14.17.5, and 12.22.5

Show details on NVD website

JSON

To clipboard

{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-03T18:58:26.311Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://hackerone.com/reports/1278254",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://www.oracle.com/security-alerts/cpuoct2021.html",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://security.netapp.com/advisory/ntap-20210917-0003/",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://www.oracle.com/security-alerts/cpujan2022.html",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://www.oracle.com/security-alerts/cpujul2022.html",
               },
               {
                  name: "[debian-lts-announce] 20221005 [SECURITY] [DLA 3137-1] nodejs security update",
                  tags: [
                     "mailing-list",
                     "x_transferred",
                  ],
                  url: "https://lists.debian.org/debian-lts-announce/2022/10/msg00006.html",
               },
               {
                  name: "GLSA-202401-02",
                  tags: [
                     "vendor-advisory",
                     "x_transferred",
                  ],
                  url: "https://security.gentoo.org/glsa/202401-02",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "https://github.com/nodejs/node",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "Fixed version 16.6.2, 14.17.5, and 12.22.5",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "If the Node.js https API was used incorrectly and \"undefined\" was in passed for the \"rejectUnauthorized\" parameter, no error was returned and connections to servers with an expired certificate would have been accepted.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-295",
                     description: "Improper Certificate Validation (CWE-295)",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2024-01-05T10:06:25.767920",
            orgId: "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
            shortName: "hackerone",
         },
         references: [
            {
               url: "https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/",
            },
            {
               url: "https://hackerone.com/reports/1278254",
            },
            {
               url: "https://www.oracle.com/security-alerts/cpuoct2021.html",
            },
            {
               url: "https://security.netapp.com/advisory/ntap-20210917-0003/",
            },
            {
               url: "https://www.oracle.com/security-alerts/cpujan2022.html",
            },
            {
               url: "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf",
            },
            {
               url: "https://www.oracle.com/security-alerts/cpujul2022.html",
            },
            {
               name: "[debian-lts-announce] 20221005 [SECURITY] [DLA 3137-1] nodejs security update",
               tags: [
                  "mailing-list",
               ],
               url: "https://lists.debian.org/debian-lts-announce/2022/10/msg00006.html",
            },
            {
               name: "GLSA-202401-02",
               tags: [
                  "vendor-advisory",
               ],
               url: "https://security.gentoo.org/glsa/202401-02",
            },
         ],
      },
   },
   cveMetadata: {
      assignerOrgId: "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
      assignerShortName: "hackerone",
      cveId: "CVE-2021-22939",
      datePublished: "2021-08-16T00:00:00",
      dateReserved: "2021-01-06T00:00:00",
      dateUpdated: "2024-08-03T18:58:26.311Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2021-22940

Vulnerability from cvelistv5

Published

2021-08-16 00:00

Modified

2024-08-03 18:58

Severity ?

Summary

Node.js before 16.6.1, 14.17.5, and 12.22.5 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.

References

▼	URL	Tags
	https://hackerone.com/reports/1238162
	https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/
	https://www.oracle.com/security-alerts/cpuoct2021.html
	https://security.netapp.com/advisory/ntap-20210923-0001/
	https://www.oracle.com/security-alerts/cpujan2022.html
	https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
	https://www.oracle.com/security-alerts/cpujul2022.html
	https://lists.debian.org/debian-lts-announce/2022/10/msg00006.html	mailing-list
	https://security.gentoo.org/glsa/202401-02	vendor-advisory

Impacted products

	Vendor	Product	Version
	n/a	https://github.com/nodejs/node	Version: Fixed versions 16.6.2, 14.17.5, and 12.22.5

Show details on NVD website

JSON

To clipboard

{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-03T18:58:25.987Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://hackerone.com/reports/1238162",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://www.oracle.com/security-alerts/cpuoct2021.html",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://security.netapp.com/advisory/ntap-20210923-0001/",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://www.oracle.com/security-alerts/cpujan2022.html",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://www.oracle.com/security-alerts/cpujul2022.html",
               },
               {
                  name: "[debian-lts-announce] 20221005 [SECURITY] [DLA 3137-1] nodejs security update",
                  tags: [
                     "mailing-list",
                     "x_transferred",
                  ],
                  url: "https://lists.debian.org/debian-lts-announce/2022/10/msg00006.html",
               },
               {
                  name: "GLSA-202401-02",
                  tags: [
                     "vendor-advisory",
                     "x_transferred",
                  ],
                  url: "https://security.gentoo.org/glsa/202401-02",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "https://github.com/nodejs/node",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "Fixed versions 16.6.2, 14.17.5, and 12.22.5",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "Node.js before 16.6.1, 14.17.5, and 12.22.5 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-416",
                     description: "Use After Free (CWE-416)",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2024-01-05T10:06:24.062966",
            orgId: "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
            shortName: "hackerone",
         },
         references: [
            {
               url: "https://hackerone.com/reports/1238162",
            },
            {
               url: "https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/",
            },
            {
               url: "https://www.oracle.com/security-alerts/cpuoct2021.html",
            },
            {
               url: "https://security.netapp.com/advisory/ntap-20210923-0001/",
            },
            {
               url: "https://www.oracle.com/security-alerts/cpujan2022.html",
            },
            {
               url: "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf",
            },
            {
               url: "https://www.oracle.com/security-alerts/cpujul2022.html",
            },
            {
               name: "[debian-lts-announce] 20221005 [SECURITY] [DLA 3137-1] nodejs security update",
               tags: [
                  "mailing-list",
               ],
               url: "https://lists.debian.org/debian-lts-announce/2022/10/msg00006.html",
            },
            {
               name: "GLSA-202401-02",
               tags: [
                  "vendor-advisory",
               ],
               url: "https://security.gentoo.org/glsa/202401-02",
            },
         ],
      },
   },
   cveMetadata: {
      assignerOrgId: "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
      assignerShortName: "hackerone",
      cveId: "CVE-2021-22940",
      datePublished: "2021-08-16T00:00:00",
      dateReserved: "2021-01-06T00:00:00",
      dateUpdated: "2024-08-03T18:58:25.987Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2021-22918

Vulnerability from cvelistv5

Published

2021-07-12 00:00

Modified

2024-08-03 18:58

Severity ?

Summary

Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. This can lead to information disclosures or crashes. This function can be triggered via uv_getaddrinfo().

References

▼	URL	Tags
	https://hackerone.com/reports/1209681
	https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/
	https://security.netapp.com/advisory/ntap-20210805-0003/
	https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
	https://security.gentoo.org/glsa/202401-23	vendor-advisory

Impacted products

	Vendor	Product	Version
	n/a	https://github.com/nodejs/node	Version: Fixed in 16.4.1, 14.17.2, and 12.22.2

Show details on NVD website

JSON

To clipboard

{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-03T18:58:25.665Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://hackerone.com/reports/1209681",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://security.netapp.com/advisory/ntap-20210805-0003/",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf",
               },
               {
                  name: "GLSA-202401-23",
                  tags: [
                     "vendor-advisory",
                     "x_transferred",
                  ],
                  url: "https://security.gentoo.org/glsa/202401-23",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "https://github.com/nodejs/node",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "Fixed in 16.4.1, 14.17.2, and 12.22.2",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. This can lead to information disclosures or crashes. This function can be triggered via uv_getaddrinfo().",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-125",
                     description: "Out-of-bounds Read (CWE-125)",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2024-01-16T13:06:23.371662",
            orgId: "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
            shortName: "hackerone",
         },
         references: [
            {
               url: "https://hackerone.com/reports/1209681",
            },
            {
               url: "https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/",
            },
            {
               url: "https://security.netapp.com/advisory/ntap-20210805-0003/",
            },
            {
               url: "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf",
            },
            {
               name: "GLSA-202401-23",
               tags: [
                  "vendor-advisory",
               ],
               url: "https://security.gentoo.org/glsa/202401-23",
            },
         ],
      },
   },
   cveMetadata: {
      assignerOrgId: "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
      assignerShortName: "hackerone",
      cveId: "CVE-2021-22918",
      datePublished: "2021-07-12T00:00:00",
      dateReserved: "2021-01-06T00:00:00",
      dateUpdated: "2024-08-03T18:58:25.665Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2021-3672

Vulnerability from cvelistv5

Published

2021-11-23 00:00

Modified

2024-10-15 17:14

Severity ?

Summary

A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to Domain Hijacking. The highest threat from this vulnerability is to confidentiality and integrity as well as system availability.

References

▼	URL	Tags
	https://bugzilla.redhat.com/show_bug.cgi?id=1988342
	https://c-ares.haxx.se/adv_20210810.html
	https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
	https://www.oracle.com/security-alerts/cpujul2022.html
	https://security.gentoo.org/glsa/202401-02	vendor-advisory

Impacted products

	Vendor	Product	Version
	n/a	c-ares	Version: c-ares 1.17.2

Show details on NVD website

JSON

To clipboard

{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-03T17:01:07.975Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://bugzilla.redhat.com/show_bug.cgi?id=1988342",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://c-ares.haxx.se/adv_20210810.html",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://www.oracle.com/security-alerts/cpujul2022.html",
               },
               {
                  name: "GLSA-202401-02",
                  tags: [
                     "vendor-advisory",
                     "x_transferred",
                  ],
                  url: "https://security.gentoo.org/glsa/202401-02",
               },
            ],
            title: "CVE Program Container",
         },
         {
            metrics: [
               {
                  other: {
                     content: {
                        id: "CVE-2021-3672",
                        options: [
                           {
                              Exploitation: "none",
                           },
                           {
                              Automatable: "no",
                           },
                           {
                              "Technical Impact": "partial",
                           },
                        ],
                        role: "CISA Coordinator",
                        timestamp: "2024-10-15T17:09:33.511285Z",
                        version: "2.0.3",
                     },
                     type: "ssvc",
                  },
               },
            ],
            providerMetadata: {
               dateUpdated: "2024-10-15T17:14:27.220Z",
               orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
               shortName: "CISA-ADP",
            },
            title: "CISA ADP Vulnrichment",
         },
      ],
      cna: {
         affected: [
            {
               product: "c-ares",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "c-ares 1.17.2",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to Domain Hijacking. The highest threat from this vulnerability is to confidentiality and integrity as well as system availability.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-79",
                     description: "CWE-79",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2024-01-05T10:06:20.709588",
            orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749",
            shortName: "redhat",
         },
         references: [
            {
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1988342",
            },
            {
               url: "https://c-ares.haxx.se/adv_20210810.html",
            },
            {
               url: "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf",
            },
            {
               url: "https://www.oracle.com/security-alerts/cpujul2022.html",
            },
            {
               name: "GLSA-202401-02",
               tags: [
                  "vendor-advisory",
               ],
               url: "https://security.gentoo.org/glsa/202401-02",
            },
         ],
      },
   },
   cveMetadata: {
      assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749",
      assignerShortName: "redhat",
      cveId: "CVE-2021-3672",
      datePublished: "2021-11-23T00:00:00",
      dateReserved: "2021-07-30T00:00:00",
      dateUpdated: "2024-10-15T17:14:27.220Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2021-22930

Vulnerability from cvelistv5

Published

2021-10-07 00:00

Modified

2024-08-03 18:58

Severity ?

Summary

Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.

References

▼	URL	Tags
	https://hackerone.com/reports/1238162
	https://nodejs.org/en/blog/vulnerability/july-2021-security-releases-2/
	https://security.netapp.com/advisory/ntap-20211112-0002/
	https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
	https://lists.debian.org/debian-lts-announce/2022/10/msg00006.html	mailing-list
	https://security.gentoo.org/glsa/202401-02	vendor-advisory

Impacted products

	Vendor	Product	Version
	n/a	https://github.com/nodejs/node	Version: Fixed versions 16.6.0, 14.17.4, and 12.22.4

Show details on NVD website

JSON

To clipboard

{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-03T18:58:26.157Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://hackerone.com/reports/1238162",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://nodejs.org/en/blog/vulnerability/july-2021-security-releases-2/",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://security.netapp.com/advisory/ntap-20211112-0002/",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf",
               },
               {
                  name: "[debian-lts-announce] 20221005 [SECURITY] [DLA 3137-1] nodejs security update",
                  tags: [
                     "mailing-list",
                     "x_transferred",
                  ],
                  url: "https://lists.debian.org/debian-lts-announce/2022/10/msg00006.html",
               },
               {
                  name: "GLSA-202401-02",
                  tags: [
                     "vendor-advisory",
                     "x_transferred",
                  ],
                  url: "https://security.gentoo.org/glsa/202401-02",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "https://github.com/nodejs/node",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "Fixed versions 16.6.0, 14.17.4, and 12.22.4",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-416",
                     description: "Use After Free (CWE-416)",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2024-01-05T10:06:19.124093",
            orgId: "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
            shortName: "hackerone",
         },
         references: [
            {
               url: "https://hackerone.com/reports/1238162",
            },
            {
               url: "https://nodejs.org/en/blog/vulnerability/july-2021-security-releases-2/",
            },
            {
               url: "https://security.netapp.com/advisory/ntap-20211112-0002/",
            },
            {
               url: "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf",
            },
            {
               name: "[debian-lts-announce] 20221005 [SECURITY] [DLA 3137-1] nodejs security update",
               tags: [
                  "mailing-list",
               ],
               url: "https://lists.debian.org/debian-lts-announce/2022/10/msg00006.html",
            },
            {
               name: "GLSA-202401-02",
               tags: [
                  "vendor-advisory",
               ],
               url: "https://security.gentoo.org/glsa/202401-02",
            },
         ],
      },
   },
   cveMetadata: {
      assignerOrgId: "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
      assignerShortName: "hackerone",
      cveId: "CVE-2021-22930",
      datePublished: "2021-10-07T00:00:00",
      dateReserved: "2021-01-06T00:00:00",
      dateUpdated: "2024-08-03T18:58:26.157Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

Vulnerability from csaf_opensuse

cve-2021-22939

Vulnerability from cvelistv5

cve-2021-22940

Vulnerability from cvelistv5

cve-2021-22918

Vulnerability from cvelistv5

cve-2021-3672

Vulnerability from cvelistv5

cve-2021-22930

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature