Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nodejsblogOpenJS FoundationNODEJSBLOG:FEBRUARY-2021-SECURITY-RELEASES
HistoryFeb 23, 2021 - 12:00 a.m.

February 2021 Security Releases

2021-02-2300:00:00
OpenJS Foundation
nodejs.org
29
security releases
node.js
http2
denial of service
dns rebinding
openssl

CVSS2

7.8

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

7.8

Confidence

High

EPSS

0.033

Percentile

91.3%

JSON

(Update 23-Feb-2021) Security releases available

Updates are now available for v10.x, v12.x, v14.x and v15.x Node.js release lines for the following issues.

HTTP2 ‘unknownProtocol’ cause Denial of Service by resource exhaustion (Critical) (CVE-2021-22883)

Affected Node.js versions are vulnerable to denial of service attacks when too many connection attempts with an ‘unknownProtocol’ are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory.

Impacts:

  • All versions of the 15.x, 14.x, 12.x and 10.x releases lines

Thank you to OMICRON electronics for reporting this vulnerability.

DNS rebinding in --inspect (CVE-2021-22884)

Affected Node.js versions are vulnerable to a DNS rebinding attack when the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim’s DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the “localhost6” domain. As long as the attacker uses the “localhost6” domain, they can still apply the attack described in CVE-2018-7160.

Impacts:

  • All versions of the 15.x, 14.x, 12.x and 10.x releases lines

Thank you to Vít Šesták for reporting this vulnerability

OpenSSL - Integer overflow in CipherUpdate (CVE-2021-23840)

This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in <https://www.openssl.org/news/secadv/20210216.txt&gt;

Impacts:

  • All versions of the 15.x, 14.x, 12.x and 10.x releases lines

Downloads and release details

  • Node.js v10.24.0 (LTS)
  • Node.js v12.21.0 (LTS)
  • Node.js v14.16.0 (LTS)
  • Node.js v15.10.0 (Current)

PrevApril 2021 Security ReleasesNextJanuary 2021 Security Releases

Related

freebsd 1
nessus 47
openvas 24
ibm 21
suse 4
osv 18
almalinux 3
redhat 10
prion 4
cve 4
hackerone 4
nvd 4
rocky 3
oraclelinux 4
mageia 2
altlinux 3
ubuntucve 4
debiancve 4
redhatcve 5
alpinelinux 4
cvelist 4
ubuntu 1
debian 1
fedora 3
photon 4
f5 2
veracode 4
github 2
openssl 1
rustsec 1
cloudlinux 1
githubexploit 1
ics 1
freebsd
freebsd
Node.js -- February 2021 Security Releases
2021-02-23 00:00:00
nessus
nessus
FreeBSD : Node.js -- February 2021 Security Releases (2f3cd69e-7dee-11eb-b92e-0022489ad614)
2021-03-10 00:00:00
Node.js 10.x < 10.24.0 / 12.x < 12.21.0 / 14.x < 14.16.0 / 15.x < 15.10.0 Multiple Vulnerabilities
2021-03-05 00:00:00
Rocky Linux 8 : nodejs:14 (RLSA-2021:0744)
2023-11-06 00:00:00
openvas
openvas
Node.js 10.x < 10.24.0, 12.x < 12.21.0, 14.x < 14.16.0, 15.x < 15.10.0 Multiple Vulnerabilities - Windows
2021-03-08 00:00:00
SUSE: Security Advisory (SUSE-SU-2021:0673-1)
2021-06-09 00:00:00
SUSE: Security Advisory (SUSE-SU-2021:0651-1)
2021-06-09 00:00:00
ibm
ibm
Security Bulletin: IBM Cloud Private is vulnerable to OpenSSL and Node.js vulnerabilities (CVE-2021-23840, CVE-2021-22884, CVE-2021-22883)
2021-09-03 13:34:41
Security Bulletin: A security vulnerability in Node.js affects IBM Cloud Pak for Multicloud Management Managed Service
2021-05-13 19:34:49
Security Bulletin: IBM App Connect Enterprise Certified Container may be vulnerable to multiple denial of service through the Node.js runtime
2021-04-30 13:25:56
suse
suse
Security update for nodejs10 (important)
2021-03-03 00:00:00
Security update for nodejs12 (important)
2021-02-28 00:00:00
Security update for nodejs14 (important)
2021-02-28 00:00:00
osv
osv
nodejs vulnerabilities
2023-10-05 08:45:53
Important: nodejs:14 security and bug fix update
2021-03-08 09:55:44
Important: nodejs:10 security update
2021-03-04 15:17:39
almalinux
almalinux
Important: nodejs:10 security update
2021-03-04 15:17:39
Important: nodejs:14 security and bug fix update
2021-03-08 09:55:44
Important: nodejs:12 security update
2021-03-04 15:17:37
redhat
redhat
(RHSA-2021:0735) Important: nodejs:10 security update
2021-03-04 15:17:39
(RHSA-2021:0734) Important: nodejs:12 security update
2021-03-04 15:17:37
(RHSA-2021:0741) Important: nodejs:10 security update
2021-03-08 09:16:17
prion
prion
Code injection
2021-03-03 18:15:00
Remote code execution
2018-05-17 14:29:00
Design/Logic Flaw
2021-03-03 18:15:00
cve
cve
CVE-2021-22884
2021-03-03 18:15:14
CVE-2021-22883
2021-03-03 18:15:14
CVE-2018-7160
2018-05-17 14:29:00
hackerone
hackerone
Node.js: DNS rebinding in --inspect (insufficient fix of CVE-2018-7160)
2020-12-31 23:31:42
Node.js: HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion
2020-11-25 11:06:27
Internet Bug Bounty: DNS rebinding in --inspect (insufficient fix of CVE-2022-32212 affecting macOS devices)
2022-09-28 08:45:11
nvd
nvd
CVE-2021-22884
2021-03-03 18:15:14
CVE-2018-7160
2018-05-17 14:29:00
CVE-2021-22883
2021-03-03 18:15:14
rocky
rocky
nodejs:12 security update
2021-03-04 15:17:37
nodejs:10 security update
2021-03-04 15:17:39
nodejs:14 security and bug fix update
2021-03-08 09:55:44
oraclelinux
oraclelinux
nodejs:10 security update
2021-03-05 00:00:00
nodejs:12 security update
2021-03-05 00:00:00
nodejs:14 security and bug fix update
2021-03-09 00:00:00
mageia
mageia
Updated nodejs packages fix security vulnerabilities
2021-03-01 02:16:12
Updated openssl and compat-openssl10 packages fix security vulnerabilities
2021-03-04 19:53:32
altlinux
altlinux
Security fix for the ALT Linux 10 package node version 14.16.0-alt1
2021-02-23 00:00:00
Security fix for the ALT Linux 9 package node version 14.16.0-alt1
2021-03-16 00:00:00
Security fix for the ALT Linux 10 package openssl1.1 version 1.1.1j-alt1
2021-03-12 00:00:00
ubuntucve
ubuntucve
CVE-2021-22884
2021-03-03 00:00:00
CVE-2018-7160
2018-05-17 00:00:00
CVE-2021-22883
2021-03-03 00:00:00
debiancve
debiancve
CVE-2021-22884
2021-03-03 18:15:14
CVE-2018-7160
2018-05-17 14:29:00
CVE-2021-22883
2021-03-03 18:15:14
redhatcve
redhatcve
CVE-2021-22884
2021-02-23 20:03:29
CVE-2018-7160
2020-03-30 08:22:03
CVE-2021-22883
2021-02-23 19:34:59
alpinelinux
alpinelinux
CVE-2021-22884
2021-03-03 18:15:14
CVE-2021-22883
2021-03-03 18:15:14
CVE-2018-7160
2018-05-17 14:29:00
cvelist
cvelist
CVE-2021-22884
2021-03-03 17:37:46
CVE-2021-22883
2021-03-03 17:38:32
CVE-2018-7160
2018-05-17 14:00:00
ubuntu
ubuntu
Node.js vulnerabilities
2023-10-05 00:00:00
debian
debian
[SECURITY] [DSA 4863-1] nodejs security update
2021-02-24 19:25:39
fedora
fedora
[SECURITY] Fedora 34 Update: nodejs-14.16.0-1.fc34
2021-03-19 20:26:10
[SECURITY] Fedora 32 Update: nodejs-12.21.0-2.fc32
2021-03-12 00:07:47
[SECURITY] Fedora 33 Update: nodejs-14.16.0-1.fc33
2021-03-11 23:38:48
photon
photon
Home Download Photon OS User Documentation FAQ Security Advisories Related Information Lightwave - PHSA-2021-2.0-0330
2021-03-19 00:00:00
Home Download Photon OS User Documentation FAQ Security Advisories Related Information Lightwave - PHSA-2021-1.0-0373
2021-03-22 00:00:00
Important Photon OS Security Update - PHSA-2021-0330
2021-03-16 00:00:00
f5
f5
K63025104 : NodeJS vulnerability CVE-2018-7160
2019-11-25 00:00:00
K24624116 : OpenSSL vulnerability CVE-2021-23840
2021-02-18 00:00:00
veracode
veracode
DNS Rebinding
2018-05-09 08:26:57
DNS Rebinding
2021-02-24 17:20:17
Denial Of Service (DoS)
2021-02-24 17:20:16
github
github
Withdrawn Advisory: Node.js Inspector RCE via DNS Rebinding
2022-05-13 01:08:23
Integer Overflow in openssl-src
2021-08-25 20:52:19
openssl
openssl
Vulnerability in OpenSSL - Integer overflow in CipherUpdate
2021-02-16 00:00:00
rustsec
rustsec
Integer overflow in CipherUpdate
2021-05-01 12:00:00
cloudlinux
cloudlinux
Fix of CVE: CVE-2021-23840
2021-09-21 22:03:05
githubexploit
githubexploit
Exploit for Integer Overflow or Wraparound in Openssl
2023-09-11 09:24:54
ics
ics
Mitsubishi Electric MELSOFT GT OPC UA
2022-05-10 12:00:00

CVSS2

7.8

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

7.8

Confidence

High

EPSS

0.033

Percentile

91.3%

JSON
Related for NODEJSBLOG:FEBRUARY-2021-SECURITY-RELEASES
freebsd1nessus47openvas24ibm21suse4osv18almalinux3redhat10prion4cve4hackerone4nvd4rocky3oraclelinux4mageia2altlinux3ubuntucve4debiancve4redhatcve5alpinelinux4cvelist4ubuntu1debian1fedora3photon4f52veracode4github2openssl1rustsec1cloudlinux1githubexploit1ics1