CVE-2021-22931

Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote Code Execution, XSS, Application crashes due to missing input validation of host names returned by Domain Name Servers in Node.js dns library which can lead to output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*

Configuration 2 (hide)

OR cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*
cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*
cpe:2.3:a:netapp:nextgen_api:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*

Configuration 3 (hide)

OR cpe:2.3:a:oracle:graalvm:20.3.3:*:*:*:enterprise:*:*:*
cpe:2.3:a:oracle:graalvm:21.2.0:*:*:*:enterprise:*:*:*
cpe:2.3:a:oracle:mysql_cluster:*:*:*:*:*:*:*:*

History

02 Dec 2021, 20:28

Type Values Removed Values Added
References (MISC) https://www.oracle.com/security-alerts/cpuoct2021.html - (MISC) https://www.oracle.com/security-alerts/cpuoct2021.html - Patch, Third Party Advisory
References (CONFIRM) https://security.netapp.com/advisory/ntap-20210923-0001/ - (CONFIRM) https://security.netapp.com/advisory/ntap-20210923-0001/ - Third Party Advisory
References (CONFIRM) https://security.netapp.com/advisory/ntap-20211022-0003/ - (CONFIRM) https://security.netapp.com/advisory/ntap-20211022-0003/ - Third Party Advisory
CPE cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*
cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:graalvm:21.2.0:*:*:*:enterprise:*:*:*
cpe:2.3:a:oracle:graalvm:20.3.3:*:*:*:enterprise:*:*:*
cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*
cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:nextgen_api:-:*:*:*:*:*:*:*

22 Oct 2021, 18:15

Type Values Removed Values Added
References
  • (CONFIRM) https://security.netapp.com/advisory/ntap-20211022-0003/ -

20 Oct 2021, 11:16

Type Values Removed Values Added
References
  • (MISC) https://www.oracle.com/security-alerts/cpuoct2021.html -

23 Sep 2021, 13:15

Type Values Removed Values Added
References
  • (CONFIRM) https://security.netapp.com/advisory/ntap-20210923-0001/ -

24 Aug 2021, 13:54

Type Values Removed Values Added
References (MISC) https://hackerone.com/reports/1178337 - (MISC) https://hackerone.com/reports/1178337 - Permissions Required, Third Party Advisory
References (MISC) https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/ - (MISC) https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/ - Vendor Advisory
CVSS v2 : unknown
v3 : unknown
v2 : 7.5
v3 : 9.8
CWE CWE-20
CPE cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*

16 Aug 2021, 19:16

Type Values Removed Values Added
New CVE

Information

Published : 2021-08-16 19:15

Updated : 2021-12-02 20:28


NVD link : CVE-2021-22931

Mitre link : CVE-2021-22931


JSON object : View

Products Affected

nodejs

  • node.js

netapp

  • nextgen_api
  • snapcenter
  • oncommand_workflow_automation
  • active_iq_unified_manager
  • oncommand_insight

oracle

  • graalvm
  • mysql_cluster
CWE
CWE-20

Improper Input Validation