Node.js before 16.4.1, 14.17.2, and 12.22.2 is vulnerable to local privilege escalation attacks under certain conditions on Windows platforms. More specifically, improper configuration of permissions in the installation directory allows an attacker to perform two different escalation attacks: PATH and DLL hijacking.
References
Link | Resource |
---|---|
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf | Patch Third Party Advisory |
https://hackerone.com/reports/1211160 | Exploit Third Party Advisory |
https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/ | Patch Release Notes Vendor Advisory |
https://security.netapp.com/advisory/ntap-20210805-0003/ | Third Party Advisory |
Configurations
History
06 Apr 2022, 14:30
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:* cpe:2.3:a:siemens:sinec_infrastructure_network_services:*:*:*:*:*:*:*:* |
|
First Time |
Siemens sinec Infrastructure Network Services
Siemens |
|
References | (MISC) https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/ - Patch, Release Notes, Vendor Advisory | |
References | (CONFIRM) https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf - Patch, Third Party Advisory |
10 Mar 2022, 17:41
Type | Values Removed | Values Added |
---|---|---|
References |
|
20 Sep 2021, 12:30
Type | Values Removed | Values Added |
---|---|---|
References |
|
15 Jul 2021, 14:04
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-732 | |
CVSS |
v2 : v3 : |
v2 : 4.4
v3 : 7.8 |
References | (MISC) https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/ - Release Notes, Vendor Advisory | |
References | (MISC) https://hackerone.com/reports/1211160 - Exploit, Third Party Advisory | |
CPE | cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:* cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:* |
12 Jul 2021, 11:45
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2021-07-12 11:15
Updated : 2023-12-10 13:55
NVD link : CVE-2021-22921
Mitre link : CVE-2021-22921
CVE.ORG link : CVE-2021-22921
JSON object : View
Products Affected
siemens
- sinec_infrastructure_network_services
nodejs
- node.js
microsoft
- windows
CWE
CWE-732
Incorrect Permission Assignment for Critical Resource