CVE-2021-22940

Summary

CVE	CVE-2021-22940
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2021-08-16 19:15:00 UTC
Updated	2024-01-05 10:15:00 UTC
Description	Node.js before 16.6.1, 14.17.5, and 12.22.5 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.

Risk And Classification

Problem Types: CWE-416

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Debian	Debian Linux	10.0	All	All	All
Application	Netapp	Nextgen Api	-	All	All	All
Application	Nodejs	Node.js	All	All	All	All
Application	Nodejs	Node.js	All	All	All	All
Application	Oracle	Graalvm	20.3.3	All	All	All
Application	Oracle	Graalvm	21.2.0	All	All	All
Application	Oracle	Jd Edwards Enterpriseone Tools	All	All	All	All
Application	Oracle	Peoplesoft Enterprise Peopletools	8.57	All	All	All
Application	Oracle	Peoplesoft Enterprise Peopletools	8.58	All	All	All
Application	Oracle	Peoplesoft Enterprise Peopletools	8.59	All	All	All
Application	Siemens	Sinec Infrastructure Network Services	All	All	All	All

References

Reference	Source	Link	Tags
August 2021 Security Releases \| Node.js	MISC	nodejs.org
Oracle Critical Patch Update Advisory - October 2021	MISC	www.oracle.com
GLSA-202401-02		security.gentoo.org
Oracle Critical Patch Update Advisory - January 2022	MISC	www.oracle.com
[SECURITY] [DLA 3137-1] nodejs security update	MLIST	lists.debian.org
HackerOne	MISC	hackerone.com
cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf	CONFIRM	cert-portal.siemens.com
Oracle Critical Patch Update Advisory - July 2022	N/A	www.oracle.com
August 2021 Node.js Vulnerabilities in NetApp Products \| NetApp Product Security	CONFIRM	security.netapp.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

159398 Oracle Enterprise Linux Security Update for nodejs:12 (ELSA-2021-3623)
159408 Oracle Enterprise Linux Security Update for nodejs:14 (ELSA-2021-3666)
181111 Debian Security Update for nodejs (DLA 3137-1)
182460 Debian Security Update for nodejs (CVE-2021-22940)
239590 Red Hat Update for rh-nodejs12-nodejs and rh-nodejs12-nodejs-nodemon (RHSA-2021:3281)
239591 Red Hat Update for rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon (RHSA-2021:3280)
239645 Red Hat Update for nodejs:12 (RHSA-2021:3623)
239654 Red Hat Update for nodejs:12 (RHSA-2021:3639)
239655 Red Hat Update for nodejs:12 (RHSA-2021:3638)
239658 Red Hat Update for nodejs:14 (RHSA-2021:3666)
375786 Node.js Remote Code Execution Vulnerability Aug 2021
376257 Oracle PeopleSoft Enterprise PeopleTools Product Multiple Vulnerabilities (CPUJAN2022)
377157 Alibaba Cloud Linux Security Update for nodejs:14 (ALINUX3-SA-2021:0072)
690032 Free Berkeley Software Distribution (FreeBSD) Security Update for node.js (b092bd4f-1b16-11ec-9d9d-0022489ad614)
710820 Gentoo Linux c-ares Multiple Vulnerabilities (GLSA 202401-02)
751061 OpenSUSE Security Update for nodejs12 (openSUSE-SU-2021:2875-1)
751071 OpenSUSE Security Update for nodejs12 (openSUSE-SU-2021:1214-1)
751171 OpenSUSE Security Update for nodejs14 (openSUSE-SU-2021:3211-1)
751178 OpenSUSE Security Update for nodejs14 (openSUSE-SU-2021:1313-1)
752490 SUSE Enterprise Linux Security Update for nodejs10 (SUSE-SU-2022:2855-1)
900315 CBL-Mariner Linux Security Update for nodejs 14.17.2
901248 Common Base Linux Mariner (CBL-Mariner) Security Update for nodejs (6745-1)
903104 Common Base Linux Mariner (CBL-Mariner) Security Update for nodejs (5424)
940217 AlmaLinux Security Update for nodejs:12 (ALSA-2021:3623)
940388 AlmaLinux Security Update for nodejs:14 (ALSA-2021:3666)