Lucene search

Alpine Linux Development TeamALPINE:CVE-2021-22918

HistoryJul 12, 2021 - 11:15 a.m.

CVE-2021-22918

2021-07-1211:15:07

Alpine Linux Development Team

security.alpinelinux.org

node.js

out-of-bounds read

uv__idna_toascii

information disclosures

crashes

uv_getaddrinfo

unix

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

6.7

Confidence

High

EPSS

0.001

Percentile

46.5%

JSON

Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. This can lead to information disclosures or crashes. This function can be triggered via uv_getaddrinfo().

OSVersionArchitecturePackageVersionFilename
Alpine3.11-mainnoarchnodejs< 12.22.2-r0UNKNOWN
Alpine3.12-mainnoarchnodejs< 12.22.2-r0UNKNOWN
Alpine3.13-mainnoarchnodejs< 14.17.3-r0UNKNOWN
Alpine3.14-mainnoarchnodejs< 14.17.3-r0UNKNOWN

OS	Version	Architecture	Package	Version	Filename
Alpine	3.11-main	noarch	nodejs	< 12.22.2-r0	UNKNOWN
Alpine	3.12-main	noarch	nodejs	< 12.22.2-r0	UNKNOWN
Alpine	3.13-main	noarch	nodejs	< 14.17.3-r0	UNKNOWN
Alpine	3.14-main	noarch	nodejs	< 14.17.3-r0	UNKNOWN