Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBMB7FB66FEBF982A2C6668BEA0114F7FF36DDDB76BEB896729B9563A7574FC76BC
HistoryFeb 25, 2022 - 8:30 p.m.

Security Bulletin: Vulnerability in Node.js-CVE-2021-23362, CVE-2021-22921, CVE-2021-22918, CVE-2021-27290 may affect IBM Watson Assistant for IBM Cloud Pak for Data.

2022-02-2520:30:59
www.ibm.com
28

0.003 Low

EPSS

Percentile

70.9%

JSON

Summary

Potential vulnerabilities in Node.js CVE-2021-23362, CVE-2021-22921, CVE-2021-22918, CVE-2021-27290 has been identified that may affect IBM Watson Assistant for IBM Cloud Pak for Data. Refer to details for additional information.

Vulnerability Details

CVEID:CVE-2021-23362
**DESCRIPTION:**Node.js hosted-git-info module is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in the fromUrl function in index.js. By sending a specially-crafted regex input, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/198792 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2021-22921
**DESCRIPTION:**Node.js could allow a local attacker to gain elevated privileges on the system, caused by improper configuration of permissions in the installation directory. Under certain conditions. An attacker could exploit this vulnerability to perform PATH and DLL hijacking attacks.
CVSS Base score: 7.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/204785 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2021-22918
**DESCRIPTION:**Node.js is vulnerable to a denial of service, caused by an out-of-bounds read in the libuv’s uv__idna_toascii() function. By invoking the function using dns module’s lookup() function, a remote attacker could exploit this vulnerability to obtain sensitive information or cause a denial of service.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/204784 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L)

CVEID:CVE-2021-27290
**DESCRIPTION:**Node.js ssri module is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw by the SRIs. By sending a specially-crafted regex string, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/198144 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Watson Assistant for Cloud Pak for Data 1.5.0, 4.0.0. 4.0.2, 4.0.4, 4.0.5

Remediation/Fixes

For all affected versions, IBM strongly recommends addressing the vulnerability now by upgrading to the upcoming latest (v4.0.6) release of IBM Watson Assistant for IBM Cloud Pak for Data which maintains backward compatibility with the versions listed above.

Product Latest Version Remediation/Fix/Instructions
IBM Watson Assistant for IBM Cloud Pak for Data 4.0.6

Follow instructions for Installing Watson Assistant in Link to Release (v4.0.6 release information)

<https://www.ibm.com/docs/en/cloud-paks/cp-data/4.0?topic=assistant-installing-watson&gt;

Workarounds and Mitigations

None

Related

nessus 45
freebsd 1
ibm 31
nodejsblog 1
archlinux 4
almalinux 3
oraclelinux 3
rocky 3
redhat 7
osv 17
suse 8
openvas 25
mageia 2
prion 4
cve 4
debiancve 4
cvelist 4
ubuntucve 4
nvd 4
redhatcve 3
github 2
veracode 3
hackerone 2
photon 2
alpinelinux 2
ubuntu 2
debian 1
altlinux 2
amazon 1
nodejs 1
cbl_mariner 1
gentoo 1
kitploit 1
ics 1
nessus
nessus
Node.js 12.x < 12.22.2 / 14.x < 14.17.2 / 16.x < 16.4.1 Multiple Vulnerabilities
2021-07-22 00:00:00
FreeBSD : Node.js -- July 2021 Security Releases (c174118e-1b11-11ec-9d9d-0022489ad614)
2021-10-01 00:00:00
Rocky Linux 8 : nodejs:12 (RLSA-2021:3073)
2022-02-09 00:00:00
freebsd
freebsd
Node.js -- July 2021 Security Releases
2021-07-01 00:00:00
ibm
ibm
Security Bulletin: Multiple vulnerabilities affect IBM Rational® Application Developer for WebSphere® Software - September 2021
2021-09-30 15:00:34
Security Bulletin: Multiple vulnerabilities affect IBM Observability with Instana
2022-01-11 20:10:06
Security Bulletin: Multiple vulnerabilities in Node.js affect IBM App Connect Enterprise v11 & v12 (CVE-2021-22918 and CVE-2021-22921)
2021-10-01 11:17:05
nodejsblog
nodejsblog
July 2021 Security Releases
2021-07-01 00:00:00
archlinux
archlinux
[ASA-202107-13] nodejs: multiple issues
2021-07-06 00:00:00
[ASA-202107-33] nodejs-lts-erbium: multiple issues
2021-07-20 00:00:00
[ASA-202107-32] nodejs-lts-fermium: multiple issues
2021-07-20 00:00:00
almalinux
almalinux
Moderate: nodejs:14 security, bug fix, and enhancement update
2021-08-10 12:00:51
Moderate: nodejs:12 security, bug fix, and enhancement update
2021-08-10 12:00:47
Low: libuv security update
2021-08-10 12:00:55
oraclelinux
oraclelinux
nodejs:12 security, bug fix, and enhancement update
2021-08-12 00:00:00
nodejs:14 security, bug fix, and enhancement update
2021-08-12 00:00:00
libuv security update
2021-08-11 00:00:00
rocky
rocky
nodejs:12 security, bug fix, and enhancement update
2021-08-10 12:00:47
nodejs:14 security, bug fix, and enhancement update
2021-08-10 12:00:51
libuv security update
2021-08-10 12:00:55
redhat
redhat
(RHSA-2021:3074) Moderate: nodejs:14 security, bug fix, and enhancement update
2021-08-10 12:00:51
(RHSA-2021:3073) Moderate: nodejs:12 security, bug fix, and enhancement update
2021-08-10 12:00:47
(RHSA-2021:2932) Moderate: rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon security update
2021-07-28 07:39:31
osv
osv
Moderate: nodejs:12 security, bug fix, and enhancement update
2021-08-10 12:00:47
Moderate: nodejs:14 security, bug fix, and enhancement update
2021-08-10 12:00:51
Moderate: nodejs:12 security, bug fix, and enhancement update
2021-08-10 12:00:47
suse
suse
Security update for nodejs14 (important)
2021-07-15 00:00:00
Security update for nodejs14 (important)
2021-07-20 00:00:00
Security update for nodejs10 (important)
2021-07-15 00:00:00
openvas
openvas
openSUSE: Security Advisory for nodejs14 (openSUSE-SU-2021:2354-1)
2021-07-16 00:00:00
SUSE: Security Advisory (SUSE-SU-2021:2319-1)
2021-07-15 00:00:00
SUSE: Security Advisory (SUSE-SU-2021:2354-1)
2021-07-16 00:00:00
mageia
mageia
Updated nodejs packages fix security vulnerabilities
2021-07-25 17:45:06
Updated libuv packages fix security vulnerability
2021-07-20 13:46:47
prion
prion
Design/Logic Flaw
2021-07-12 11:15:00
Design/Logic Flaw
2021-03-23 17:15:00
Design/Logic Flaw
2021-03-12 22:15:00
cve
cve
CVE-2021-22921
2021-07-12 11:15:08
CVE-2021-23362
2021-03-23 17:15:14
CVE-2021-22918
2021-07-12 11:15:07
debiancve
debiancve
CVE-2021-22921
2021-07-12 11:15:08
CVE-2021-27290
2021-03-12 22:15:14
CVE-2021-22918
2021-07-12 11:15:07
cvelist
cvelist
CVE-2021-22921
2021-07-12 10:22:24
CVE-2021-27290
2021-03-12 21:47:41
CVE-2021-22918
2021-07-12 00:00:00
ubuntucve
ubuntucve
CVE-2021-22921
2021-07-12 00:00:00
CVE-2021-23362
2021-03-23 00:00:00
CVE-2021-22918
2021-07-02 00:00:00
nvd
nvd
CVE-2021-22921
2021-07-12 11:15:08
CVE-2021-27290
2021-03-12 22:15:14
CVE-2021-22918
2021-07-12 11:15:07
redhatcve
redhatcve
CVE-2021-23362
2021-03-25 15:23:08
CVE-2021-22918
2021-07-06 15:17:41
CVE-2021-27290
2021-03-22 08:58:41
github
github
Regular Expression Denial of Service in hosted-git-info
2021-05-06 16:10:39
Regular Expression Denial of Service (ReDoS)
2021-03-19 21:24:36
veracode
veracode
Regular Expression Denial Of Service (ReDoS)
2021-03-24 04:03:06
Information Disclosure
2021-07-10 13:46:13
Regular Expression Denial Of Service (ReDoS)
2021-03-15 01:24:07
hackerone
hackerone
Node.js: OOB read in libuv
2021-05-26 06:22:37
Node.js: Node Installer Local Privilege Escalation
2021-05-28 00:40:40
photon
photon
Important Photon OS Security Update - PHSA-2021-0074
2021-08-02 00:00:00
Moderate Photon OS Security Update - PHSA-2021-4.0-0074
2021-08-02 00:00:00
alpinelinux
alpinelinux
CVE-2021-22918
2021-07-12 11:15:07
CVE-2021-27290
2021-03-12 22:15:14
ubuntu
ubuntu
libuv vulnerability
2021-07-07 00:00:00
hosted-git-info vulnerability
2022-09-02 00:00:00
debian
debian
[SECURITY] [DSA 4936-1] libuv1 security update
2021-07-05 18:35:15
altlinux
altlinux
Security fix for the ALT Linux 9 package node version 14.17.2-alt1
2021-08-03 00:00:00
Security fix for the ALT Linux 10 package node version 14.17.2-alt1
2021-07-01 00:00:00
amazon
amazon
Low: libuv
2024-01-03 21:04:00
nodejs
nodejs
Regular Expression Denial of Service
2021-05-06 16:15:08
cbl_mariner
cbl_mariner
CVE-2021-22918 affecting package nodejs 14.17.0-1
2021-08-11 06:39:34
gentoo
gentoo
libuv: Buffer Overread
2024-01-16 00:00:00
kitploit
kitploit
Regexploit - Find Regular Expressions Which Are Vulnerable To ReDoS (Regular Expression Denial Of Service)
2021-07-20 12:30:00
ics
ics
Siemens SINEC INS
2022-03-10 12:00:00

0.003 Low

EPSS

Percentile

70.9%

JSON
Related for B7FB66FEBF982A2C6668BEA0114F7FF36DDDB76BEB896729B9563A7574FC76BC
nessus45freebsd1ibm31nodejsblog1archlinux4almalinux3oraclelinux3rocky3redhat7osv17suse8openvas25mageia2prion4cve4debiancve4cvelist4ubuntucve4nvd4redhatcve3github2veracode3hackerone2photon2alpinelinux2ubuntu2debian1altlinux2amazon1nodejs1cbl_mariner1gentoo1kitploit1ics1