{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2021-22918", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "assignerShortName": "hackerone", "dateUpdated": "2025-04-30T22:24:33.832Z", "dateReserved": "2021-01-06T00:00:00", "datePublished": "2021-07-12T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2025-04-30T22:24:33.832Z"}, "descriptions": [{"lang": "en", "value": "Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. This can lead to information disclosures or crashes. This function can be triggered via uv_getaddrinfo()."}], "affected": [{"product": "Node", "vendor": "NodeJS", "defaultStatus": "unaffected", "versions": [{"versionType": "semver", "version": "4.0", "status": "affected", "lessThan": "4.*"}, {"versionType": "semver", "version": "5.0", "status": "affected", "lessThan": "5.*"}, {"versionType": "semver", "version": "6.0", "status": "affected", "lessThan": "6.*"}, {"versionType": "semver", "version": "7.0", "status": "affected", "lessThan": "7.*"}, {"versionType": "semver", "version": "8.0", "status": "affected", "lessThan": "8.*"}, {"versionType": "semver", "version": "9.0", "status": "affected", "lessThan": "9.*"}, {"versionType": "semver", "version": "10.0", "status": "affected", "lessThan": "10.*"}, {"versionType": "semver", "version": "11.0", "status": "affected", "lessThan": "11.*"}, {"versionType": "semver", "version": "12.0", "status": "affected", "lessThan": "12.22.2"}, {"versionType": "semver", "version": "13.0", "status": "affected", "lessThan": "13.*"}, {"versionType": "semver", "version": "14.0", "status": "affected", "lessThan": "14.17.2"}, {"versionType": "semver", "version": "15.0", "status": "affected", "lessThan": "15.*"}, {"versionType": "semver", "version": "16.0", "status": "affected", "lessThan": "16.4.1"}]}], "references": [{"url": "https://hackerone.com/reports/1209681"}, {"url": "https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/"}, {"url": "https://security.netapp.com/advisory/ntap-20210805-0003/"}, {"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"}, {"name": "GLSA-202401-23", "tags": ["vendor-advisory"], "url": "https://security.gentoo.org/glsa/202401-23"}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "Out-of-bounds Read (CWE-125)", "cweId": "CWE-125"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T18:58:25.665Z"}, "title": "CVE Program Container", "references": [{"url": "https://hackerone.com/reports/1209681", "tags": ["x_transferred"]}, {"url": "https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20210805-0003/", "tags": ["x_transferred"]}, {"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", "tags": ["x_transferred"]}, {"name": "GLSA-202401-23", "tags": ["vendor-advisory", "x_transferred"], "url": "https://security.gentoo.org/glsa/202401-23"}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*", "matchCriteriaId": "21182B8A-26B0-4B41-936B-0FE9BE2A9106", "versionEndExcluding": "12.22.2", "versionStartIncluding": "12.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*", "matchCriteriaId": "1F098EFB-E24C-4277-B868-19FF6195E19D", "versionEndExcluding": "14.17.2", "versionStartIncluding": "14.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*", "matchCriteriaId": "99CD41F3-115F-459D-A935-F55784CB5989", "versionEndExcluding": "16.4.1", "versionStartIncluding": "16.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:siemens:sinec_infrastructure_network_services:*:*:*:*:*:*:*:*", "matchCriteriaId": "B0F46497-4AB0-49A7-9453-CC26837BF253", "versionEndExcluding": "1.0.1.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. This can lead to information disclosures or crashes. This function can be triggered via uv_getaddrinfo()."}, {"lang": "es", "value": "Node.js versiones anteriores a 16.4.1, 14.17.2, 12.22.2, es vulnerable a una lectura fuera de l\u00edmites cuando la funci\u00f3n  uv__idna_toascii() es usada para convertir cadenas a ASCII. El puntero p es le\u00eddo e incrementado sin comprobar si est\u00e1 m\u00e1s all\u00e1 de pe, siendo este \u00faltimo un puntero al final del buffer. Esto puede conllevar a una revelaci\u00f3n de informaci\u00f3n o el bloqueo de la misma. Esta funci\u00f3n puede ser desencadenada por medio de la funci\u00f3n uv_getaddrinfo()"}], "id": "CVE-2021-22918", "lastModified": "2024-11-21T05:50:54.763", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-07-12T11:15:07.937", "references": [{"source": "support@hackerone.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"}, {"source": "support@hackerone.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://hackerone.com/reports/1209681"}, {"source": "support@hackerone.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/"}, {"source": "support@hackerone.com", "url": "https://security.gentoo.org/glsa/202401-23"}, {"source": "support@hackerone.com", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20210805-0003/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://hackerone.com/reports/1209681"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.gentoo.org/glsa/202401-23"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20210805-0003/"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "support@hackerone.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-125"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2021:3073", "cpe": "cpe:/a:redhat:enterprise_linux:8", "impact": "low", "package": "nodejs:12-8040020210708131418.522a0ee4", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-08-10T00:00:00Z"}, {"advisory": "RHSA-2021:3074", "cpe": "cpe:/a:redhat:enterprise_linux:8", "impact": "low", "package": "nodejs:14-8040020210708154809.522a0ee4", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-08-10T00:00:00Z"}, {"advisory": "RHSA-2021:3075", "cpe": "cpe:/a:redhat:enterprise_linux:8", "impact": "low", "package": "libuv-1:1.41.1-1.el8_4", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-08-10T00:00:00Z"}, {"advisory": "RHSA-2021:3639", "cpe": "cpe:/a:redhat:rhel_eus:8.1", "package": "nodejs:12-8010020210817113128.c27ad7f8", "product_name": "Red Hat Enterprise Linux 8.1 Extended Update Support", "release_date": "2021-09-22T00:00:00Z"}, {"advisory": "RHSA-2021:3638", "cpe": "cpe:/a:redhat:rhel_eus:8.2", "package": "nodejs:12-8020020210817125332.4cda2c84", "product_name": "Red Hat Enterprise Linux 8.2 Extended Update Support", "release_date": "2021-09-22T00:00:00Z"}, {"advisory": "RHSA-2021:2931", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "impact": "low", "package": "rh-nodejs12-nodejs-0:12.22.2-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2021-07-28T00:00:00Z"}, {"advisory": "RHSA-2021:2931", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "impact": "low", "package": "rh-nodejs12-nodejs-nodemon-0:2.0.3-2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2021-07-28T00:00:00Z"}, {"advisory": "RHSA-2021:2932", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "impact": "low", "package": "rh-nodejs14-nodejs-0:14.17.2-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2021-07-28T00:00:00Z"}, {"advisory": "RHSA-2021:2932", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "impact": "low", "package": "rh-nodejs14-nodejs-nodemon-0:2.0.3-2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2021-07-28T00:00:00Z"}, {"advisory": "RHSA-2021:2931", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "impact": "low", "package": "rh-nodejs12-nodejs-0:12.22.2-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2021-07-28T00:00:00Z"}, {"advisory": "RHSA-2021:2931", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "impact": "low", "package": "rh-nodejs12-nodejs-nodemon-0:2.0.3-2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2021-07-28T00:00:00Z"}, {"advisory": "RHSA-2021:2932", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "impact": "low", "package": "rh-nodejs14-nodejs-0:14.17.2-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2021-07-28T00:00:00Z"}, {"advisory": "RHSA-2021:2932", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "impact": "low", "package": "rh-nodejs14-nodejs-nodemon-0:2.0.3-2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2021-07-28T00:00:00Z"}], "bugzilla": {"description": "libuv: out-of-bounds read in uv__idna_toascii() can lead to information disclosures or crashes", "id": "1979338", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1979338"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "status": "verified"}, "cwe": "CWE-125", "details": ["Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. This can lead to information disclosures or crashes. This function can be triggered via uv_getaddrinfo().", "A flaw has been found in libuv. Node.js is vulnerable to out-of-bounds read in libuv's uv__idna_toascii() function which is used to convert strings to ASCII which is called by Node's DNS module's lookup() function and can lead to information disclosures or crashes. The highest threat from this vulnerability is to system availability."], "name": "CVE-2021-22918", "package_state": [{"cpe": "cpe:/a:redhat:a_mq_clients:2", "fix_state": "Fix deferred", "impact": "low", "package_name": "libuv", "product_name": "A-MQ Clients 2"}, {"cpe": "cpe:/a:redhat:amq_interconnect:1", "fix_state": "Fix deferred", "impact": "low", "package_name": "libuv", "product_name": "A-MQ Interconnect 1"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "nodejs:16/nodejs", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "libuv", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "nodejs", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openstack-optools:13", "fix_state": "Out of support scope", "impact": "low", "package_name": "libuv", "product_name": "Red Hat OpenStack Platform 13 (Queens) Operational Tools"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Will not fix", "impact": "low", "package_name": "nodejs", "product_name": "Red Hat Quay 3"}], "public_date": "2021-07-01T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-22918\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-22918\nhttps://nodejs.org/en/blog/vulnerability/july-2021-security-releases/"], "statement": "As distributed by Red Hat, a maximum of 3 bytes out of bound can be read. This would not be sufficient to crash nodejs or other applications using libuv, unless it was recompiled using an address sanitizer. The memory disclosure is also very limited.\nRed Hat Quay version 3.5 does not ship nodejs. Red Hat Quay version 3.4 consumes the nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally there is no impact from this issue on Quay 3.3 and 3.2 because they don't use nodejs as a HTTP server.\n[1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security", "threat_severity": "Low"}