CVE-2021-22918

Sažetak

Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. This can lead to information disclosures or crashes. This function can be triggered via uv_getaddrinfo().

Reference

https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
https://hackerone.com/reports/1209681
https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/
https://security.gentoo.org/glsa/202401-23
https://security.netapp.com/advisory/ntap-20210805-0003/

CVSS

Base:	5.0
Impact:	2.9
Exploitability:	10.0

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
PARTIAL	NONE	NONE

CVSS vektor

AV:N/AC:L/Au:N/C:P/I:N/A:N

Zadnje važnije ažuriranje

16-01-2024 - 13:15

Objavljeno

12-07-2021 - 11:15