← Back

CVE-2021-22931

nvd nist
Published: Aug 16, 2021Modified: Nov 21, 2024

JSON object

Loading...
9.8
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitability: 3.9 / Impact: 5.9
Source: NVD

Description

Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote Code Execution, XSS, Application crashes due to missing input validation of host names returned by Domain Name Servers in Node.js dns library which can lead to output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library.

Affected (18)

Show all products
Nodejs: Node.js · Netapp: Active Iq Unified Manager, Nextgen Api, Oncommand Insight, Oncommand Workflow Automation, Snapcenter · Oracle: Graalvm, Mysql Cluster, Peoplesoft Enterprise Peopletools · Siemens: Sinec Infrastructure Network Services
Nodejs
1 product
Node.js
Netapp
5 products
Active Iq Unified Manager
Nextgen Api
Oncommand Insight
Oncommand Workflow Automation
Snapcenter
Oracle
3 products
Graalvm
Mysql Cluster
Peoplesoft Enterprise Peopletools
Siemens
1 product
Sinec Infrastructure Network Services
Configuration A
5 vulnerable
Vulnerable SoftwareAffected Versions
Nodejs
Node.js
From 12.0.0 to 12.12.0
Node.js
From 14.0.0 to 14.14.0
Node.js
From 16.0.0 to 16.6.2
Node.js
From 12.13.0 to 12.22.5
Node.js
From 14.15.0 to 14.17.5
Configuration B
6 vulnerable
Vulnerable SoftwareAffected Versions
Netapp
Active Iq Unified Manager
All versions
Active Iq Unified Manager
All versions
Nextgen Api
All versions
Oncommand Insight
All versions
Oncommand Workflow Automation
All versions
Snapcenter
All versions
Configuration C
6 vulnerable
Vulnerable SoftwareAffected Versions
Oracle
Graalvm
Version 20.3.3
Graalvm
Version 21.2.0
Mysql Cluster
Up to 8.0.26
Oracle
Peoplesoft Enterprise Peopletools
Version 8.57
Peoplesoft Enterprise Peopletools
Version 8.58
Peoplesoft Enterprise Peopletools
Version 8.59
Configuration D
1 vulnerable
Vulnerable SoftwareAffected Versions
Sinec Infrastructure Network Services
Before 1.0.1.1

Related CWEs

CWE-170
Improper Null Termination
The product does not terminate or incorrectly terminates a string or array with a null character or equivalent terminator.
CWE-20
Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References (18)

Source: support@hackerone.com
PatchThird Party Advisory
Source: support@hackerone.com
ExploitIssue TrackingThird Party Advisory
Source: support@hackerone.com
PatchVendor Advisory
Source: support@hackerone.com
Source: support@hackerone.com
Third Party Advisory
Source: support@hackerone.com
Third Party Advisory
Source: support@hackerone.com
PatchThird Party Advisory
Source: support@hackerone.com
Third Party Advisory
Source: support@hackerone.com
PatchThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
PatchThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
ExploitIssue TrackingThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
PatchVendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
PatchThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
PatchThird Party Advisory

Timeline

No history available yet.